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Foreword 


Cyber  crimes  committed  by  malicious  insiders  are  among  the  most  significant  threats  to  net¬ 
worked  systems  and  data.  When  developing  policies  and  procedures  for  responding  to  cyber  secu¬ 
rity  events,  it  is  important  to  consider  the  insider  threat. 

A  malicious  insider  is  a  trusted  insider  who  abuses  his  trust  to  dismpt  operations,  cormpt  data, 
exfiltrate  sensitive  information,  or  compromise  an  IT  (information  technology)  system,  causing 
loss  or  damage.  Left  unchecked,  their  rogue  actions  may  compromise  the  nation’s  ability  to  fend 
off  future  attacks  and  safeguard  critical  infrastructure  assets,  such  as  the  electric  power  grid.  In 
fact,  some  of  the  most  damaging  attacks  against  the  government  have  been  launched  by  trasted 
insiders.  As  increased  information-sharing  exposes  sensitive  information  to  more  insiders,  such 
attacks  will  become  an  increasingly  serious  threat.  Their  concerns  are  shared  by  the  private  sector, 
where  corporations  maintain  valuable,  highly  sensitive  information  and  financial  institutions  man¬ 
age  the  flow  of  and  access  to  electronic  funds. 

The  research  described  in  this  report  was  sponsored  by  the  Department  of  Homeland  Security 
Science  and  Technology  Directorate’s  Homeland  Security  Advanced  Research  Projects  Agency 
Cyber  Security  Division.  The  work  was  conducted,  and  the  report  written,  by  members  of  the 
CERT®  Insider  Threat  Center  at  Carnegie  Mellon  University’s  Software  Engineering  Institute. 

The  authors  built  upon  a  previous  S&T-flmded  2004  report.  Insider  Threat  Study:  Illicit  Cyber 
Activity  in  the  Banking  and  Finance  Sector,  to  develop  a  greater  understanding  of  the  behavioral, 
technical,  and  organizational  factors  that  lead  to  insider  threat  attacks  [Randazzo  2004].  Drawing 
on  case  files  provided  by  the  United  States  Secret  Service,  they  analyzed  actual  incidents  of  insid¬ 
er  fraud,  from  inception  to  prosecution.  As  part  of  their  effort,  the  authors  compared  the  technical 
security  controls  commonly  used  to  prevent  internal  and  external  attackers.  Their  findings  can  be 
used  to  inform  risk  management  decisions  being  made  by  government  and  industry  and  to  support 
law  enforcement  in  cybercrime  investigations. 

1  would  like  to  specifically  recognize  the  tremendous  participation  by  the  United  States  Secret 
Service  in  this  effort.  In  granting  the  authors  access  to  case  files,  the  agency  was  instrumental  in 
the  development  of  this  report. 


Douglas  Maughan,  Director 
Cyber  Security  Division 

Homeland  Security  Advanced  Research  Projects  Agency 
Science  and  Technology  Directorate 
Department  of  Homeland  Security 


Ki-.i  Mrch  Hv 
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Executive  Summary 


This  report  describes  a  new  insider  threat  study  funded  by  DHS  S&T  in  collaboration  with  the 
USSS  and  the  CERT®  Insider  Threat  Center,  part  of  Carnegie  Mellon  University’s  Software  En¬ 
gineering  Institute.  The  primary  goal  of  the  current  research  is  to  produce  empirically  derived 
findings  from  insider  and  outsider  computer  criminal  activity  within  the  banking  and  finance  sec¬ 
tor  to  help  security  professionals  prevent,  detect,  and  manage  malicious  insider  activity  and  risk. 
The  central  question  of  this  research  is 

What  are  the  observable  technical  and  behavioral  precursors  of  insider  fraud  in  the  fi¬ 
nancial  sector  and  what  mitigation  strategies  should  be  considered  as  a  result? 

For  the  purposes  of  the  current  study,  we  focus  on  attacks  rather  than  accidental  acts  and  continue 
to  define  a  malicious  insider  as 

a  current  or  former  employee,  contractor,  or  other  business  partner  who  has  or  had 
authorized  access  to  an  organization ’s  network,  system,  or  data  and  intentionally  exceeded 
or  misused  that  access  in  a  manner  that  negatively  affected  the  confidentiality,  integrity,  or 
availability  of  the  organization ’s  information  or  information  systems  [Cappelli  2009] 

Staff  of  the  Insider  Threat  Center  extracted  technical  and  behavioral  patterns  from  67  insider  fraud 
cases,  as  well  as  13  external*  fraud  cases;  all  80  cases  occurred  between  2005  and  the  present. 
Using  this  information  and  discussions  with  staff  of  other  agencies,  including  the  Department  of 
the  Treasury,  and  from  some  financial  organizations,  we  developed  insights  and  risk  indicators  of 
malicious  insider  activity  within  the  financial  services  sector. 

The  majority  of  the  80  organizations  impacted  by  these  crimes  are  included  in  the  banking  and 
finance  industry,  including  retail,  commercial,  and  investment  banks;  accounting  firms;  credit 
card  issuers;  federal  credit  unions;  and  insurance  providers;  while  some  are  financial  departments 
of  retail  businesses  (automobile,  builders,  employee  benefit  providers,  employee  staffing,  engi¬ 
neering,  fashion,  home  improvement,  transportation)  and  federal,  state,  and  local  governments. 
This  information  is  intended  to  help  private  industry,  government,  and  law  enforcement  more  ef¬ 
fectively  prevent,  deter,  detect,  investigate,  and  manage  insider  threat  in  this  sector. 

Our  research  applied  the  multiple  case  study  method  described  by  Yin  [Yin  2009].  USSS  cases  of 
insider  fraud’*  were  selected  if  they  occurred  against  a  U.S.  organization,  almost  exclusively’^  re- 


CERT  is  a  registered  trademark  owned  by  Carnegie  Mellon  University. 

External  fraud  cases  are  those  in  which  no  malicious  insiders  were  involved. 

USSS  case  types  include  criminal  violations  involving  fraud  against  banks,  savings  and  loan  associations,  credit 
unions,  check  cashers,  stockbrokers,  and  other  financial  organizations. 

Of  the  67  insider  cases,  only  1  did  not  result  in  being  adjudicated  guilty  by  a  U.S.  court  of  law.  In  that  case, 
investigators  found  sufficient  evidence  of  the  crime  to  warrant  prosecution,  but  other  factors  in  the  case  resulted 
in  it  being  declined  for  prosecution. 
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suited  in  criminal  conviction,  and  had  a  sufficient  quantity  and  quality  of  behavioral  and  technical 
information  available.  A  small  set  of  external  fraud  cases  were  also  studied  to  facilitate  an  infor¬ 
mal  comparison  with  the  insider  cases.  The  exploratory  nature  of  this  study  and  its  method  of  case 
selection  make  it  challenging  to  generalize  our  results  to  a  larger  population  of  insider  fraud.  Nev¬ 
ertheless,  this  study  does  help  provide  an  understanding  of  the  precursors  and  contextual  factors 
that  surround  and  influence  a  select  sample  of  insider  fraud  cases  in  the  financial  services  sector. 

Findings 

The  following  six  broad  findings  are  based  on  analysis  of  the  80  cases  selected  and  examined  for 
this  report. 

FINDING  ONE — Criminals  who  executed  a  “low  and  slow”  approach  accomplished  more  dam¬ 
age  and  escaped  detection  for  longer. 

•  On  average,  over  5  years  elapse  between  a  subject’s  hiring  and  the  identified  start  of  the 
fraud,  and  it  takes  an  average  of  almost  32  months  to  be  detected  by  the  victim  organization. 

•  The  lower  50  percent  of  cases  (under  32  months  in  length)  had  an  average  actual  monetary 
impact  of  approximately  $382,750,  while  the  upper  50  percent  (at  or  over  32  months  in 
length)  had  an  average  actual  monetary  impact  of  approximately  $479,000. 

FINDING  TWO — Insiders’  means  were  not  very  technically  sophisticated. 

•  Very  few  subjects  served  in  a  technical  role  (e.g.,  database  administrator)  or  conducted  their 
fraud  by  using  explicitly  technical  means. 

•  In  more  than  half  of  the  cases,  the  insider  used  some  form  of  authorized  access,  whether  cur¬ 
rent  or  authorized  at  an  earlier  time  but  subsequently  withdrawn  for  any  number  of  reasons, 
including  change  in  job  internally  or  a  change  in  employer,  and  in  a  few  of  the  cases,  the  in¬ 
sider  used  some  non-technical  method  to  bypass  authorized  processes. 

FINDING  THREE — Fraud  by  managers  differs  substantially  from  fraud  by  non-managers  by 
damage  and  duration. 

•  Fraud  committed  by  managers  consistently  caused  more  actual  damage  ($200,105  on  aver¬ 
age)  than  fraud  committed  by  non-managers  ($1 12,188  on  average). 

•  Fraud  committed  by  managers  lasted  almost  twice  as  long  (33  months)  as  compared  to  non¬ 
managers  (18  months). 

•  Of  all  the  non-managers,  accountants  cause  the  most  damage  from  insider  fraud  ($472,096  on 
average)  and  evade  detection  for  the  longest  amount  of  time  (41  months). 

FINDING  FOUR — Most  cases  do  not  involve  collusion. 

•  Only  16  percent  of  the  fraud  incidents  involved  some  type  of  collusion,  with  69  percent  of 
those  involving  collusion  exclusively  with  outsiders. 

•  Only  1  case  involved  collusion  with  other  insiders. 
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FINDING  FIVE — Most  incidents  were  detected  through  an  audit,  customer  complaint,  or  co¬ 
worker  suspicion. 

•  Routine  or  impromptu  auditing  was  the  most  common  way  that  an  attack  was  detected  (41 
percent).  In  terms  of  who  detected  the  attack,  internal  employees  were  the  most  common  (54 
percent)  followed  by  customers  (30  percent). 

•  Only  6  percent  of  the  cases  were  known  to  involve  the  use  of  software  and  systems  to  detect 
the  fraudulent  activity. 

•  Transaction  logs,  database  logs,  and  access  logs  were  known  to  be  used  in  the  ensuing  inci¬ 
dent  response  for  only  20  percent  of  the  cases. 

FINDING  SIX — ^Personally  identifiable  information  (PII)  is  a  prominent  target  of  those  commit¬ 
ting  fraud. 

•  Roughly  one-third  (34  percent)  of  the  cases  involved  PII  being  the  target  by  the  insider  or 
external  actor  with  younger,  non-managers  stealing  PII  more  often  than  older  employees. 

•  The  average  tenure  of  employees  who  stole  PII  was  shorter  than  the  tenure  of  malicious  in¬ 
siders  who  did  not  steal  PIT 

Our  modeling  and  analysis  of  insider  fraud  cases  revealed  two  scenarios:  the  manager  scenario 
(51  percent)  and  the  non-manager  scenario  (49  percent).  In  the  manager  scenario,  the  perpetrators 
of  fraud  are  able  to  alter  business  processes,  sometimes  by  manipulating  subordinate  employees, 
to  profit  financially.  In  the  non-manager  scenario,  the  perpetrators  are  often  customer  service  rep¬ 
resentatives  who  alter  accounts  or  steal  customer  account  information  or  other  PII  to  defraud  the 
organization.  These  two  scenarios  share  many  patterns,  but  each  has  key  distinguishing  character¬ 
istics  regarding  timeline,  incentives,  the  organization’s  trust  in  the  insider,  others’  suspicions,  out¬ 
sider  facilitation,  and  concealment.  Fraud  cases  examined  in  previous  CERT  studies  were  more 
similar  to  the  fraud  committed  by  non-managers  than  that  committed  by  managers. 

Recommendations 

The  following  behavioral  and/or  business  process  recommendations,  and  monitoring  and  technical 
recommendations  are  provided  in  response  to  the  six  findings  described  above.  These  recommen¬ 
dations  are  intended  to  be  implemented  in  conjunction  with  other  organizational  controls  targeted 
at  preventing,  detecting,  or  responding  to  malicious  insider  activity.  Be  sure  to  consult  with  legal 
counsel  prior  to  implementing  any  recommendations  to  ensure  compliance  with  federal,  state,  and 
local  laws. 

Behavioral  and/or  Business  Process 

•  Clearly  document  and  consistently  enforce  policies  and  controls. 

•  Institute  periodic  security  awareness  training  for  all  employees. 

Monitoring  and  Technical 

•  Include  unexplained  financial  gain  in  any  periodic  reinvestigations  of  employees. 

•  Log,  monitor,  and  audit  employee  online  actions. 

•  Pay  special  attention  to  those  in  special  positions  of  trust  and  authority  with  relatively  easy 
ability  to  perpetrate  high  value  crimes  (e.g.,  accountants  and  managers). 
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Restrict  access  to  PII. 

Develop  an  insider  incident  response  plan  to  control  the  damage  from  malicious  insider  activ¬ 
ity,  assist  in  the  investigative  process,  and  incorporate  lessons  learned  to  continually  improve 
the  plan. 
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Abstract 


This  report  describes  a  new  insider  threat  study  funded  by  the  U.S.  Department  of  Homeland  Se¬ 
curity  (DHS)  Science  and  Technology  Directorate  (S&T)  in  collaboration  with  the  U.S.  Secret 
Service  (USSS)  and  the  CERT  Insider  Threat  Center,  part  of  Carnegie  Mellon  University’s  Soft¬ 
ware  Engineering  Institute.  Researchers  extracted  technical  and  behavioral  patterns  from  67  insid¬ 
er  and  13  external  fraud  cases;  all  80  cases  occurred  between  2005  and  the  present.  Using  this 
information,  we  developed  insights  and  risk  indicators  of  malicious  insider  activity  within  the 
banking  and  finance  sector.  This  information  is  intended  to  help  private  industry,  government,  and 
law  enforcement  more  effectively  prevent,  deter,  detect,  investigate,  and  manage  insider  threats  in 
this  sector. 
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1  Introduction 


This  report  describes  a  new  insider  threat  study  funded  by  DHS  S&T.  The  CERT®  Insider  Threat 
Center"^  completed  the  study  in  collaboration  with  the  USSS.  This  effort  extracted  technical  and 
behavioral  patterns  from  80  fraud  cases — 67  insider  and  13  external^ — that  occurred  between 
2005  and  the  present.  These  cases  were  used  to  develop  insights  and  risk  indicators  to  help  private 
industry,  government,  and  law  enforcement  more  effectively  prevent,  deter,  detect,  investigate, 
and  manage  malicious  insider  activity  within  the  banking  and  finance  sector.  This  study  updates 
an  initial  study  of  insider  threats  in  the  banking  and  finance  sector  [Randazzo  2004]. 

The  report  starts  by  providing  definitions,  an  overview  of  selected  current  literature  on  insider 
threats,  and  the  study  research  methodology,  which  may  be  of  greater  interest  to  researchers  than 
financial  sector  practitioners.  It  then  covers  the  findings  we  derived  from  an  analysis  of  selected 
cases  and  describes  a  system  dynamics  model  of  the  crime  of  fraud.  Finally,  we  compare  this 
crime  profile,  including  the  system  dynamics  model,  with  other  crimes,  provide  mitigation  strate¬ 
gies,  and  describe  additional  steps  that  could  be  taken  by  researchers  or  information  security  prac¬ 
titioners  in  this  area  who  hope  to  reduce  the  occurrence  of  individuals  committing  illegal  acts 
against  their  organization. 

1.1  Terms  and  Definitions 

A  number  of  authors  have  defined  insider  attacks  and  characterized  insider  subjects.  Predd  and 
colleagues  define  an  insider  generally  as  someone  with  legitimate  access  to  an  organization’s  in¬ 
formation  assets,  including  contractors,  auditors,  temporary  employees,  former  workers,  and  non- 
malicious  subjects  who  cause  damage  unintentionally  [Predd  2008].  This  definition  is  broader 
than  many  others,  but  it  generally  reflects  a  consensus  in  the  literature  that,  in  addition  to  current 
employees,  insiders  may  include  other  personnel  with  past  or  current  authorized  access,  including 
contractors  or  even  customers.  For  the  purposes  of  the  current  study,  we  concentrated  on  insiders 
who  caused  harm  to  an  organization  through  deliberate  actions. 

The  following  definitions  are  critical  to  our  study: 

•  A  malicious  insider  is  a  current  or  former  employee,  contractor,  or  other  business  partner  who 
has  or  had  authorized  access  to  an  organization’s  network,  system,  or  data  and  intentionally 
exceeded  or  misused  that  access  in  a  manner  that  negatively  affected  the  confidentiality,  in¬ 
tegrity,  or  availability  of  the  organization’s  information  or  information  systems  [Cappelli 
2009]. 


CERT  is  a  registered  trademark  owned  by  Carnegie  Mellon  University. 

More  information  about  the  CERT  Insider  Threat  Center  is  available  in  Appendix  A. 
External  fraud  cases  are  those  in  which  no  malicious  insiders  were  involved. 
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•  Insider  fraud  is  a  malicious  insider’s  use  of  IT  for  the  unauthorized  modification,  addition,  or 
deletion  of  an  organization’s  data  (not  programs  or  systems)  for  personal  gain  or  the  theft  of 
information  leading  to  an  identity  crime  [Weiland  2010]. 

•  An  identity  crime  is  “the  misuse  of  personal  or  financial  identifiers  in  order  to  gain  something 
of  value  and/or  facilitate  some  other  criminal  activity.”^ 

•  A  victim  organization  is  a  business  entity  that  was  impacted  by  the  actions  of  a  malicious  in¬ 
sider. 

•  A  precursor  is  an  action,  event,  or  condition  that  precedes  the  insider  crime  and  is  hypothe¬ 
sized  to  be  associated  with  that  crime.  If  the  hypothesized  association  can  be  confirmed  with  a 
comparison  to  case  controls,  then  those  observable  precursors  indicate  increased  risk  of  the 
crime  [Band  2006]. 

1.2  Related  Empirical  Research 

Empirical  insider  threat  research  generally  falls  into  one  of  three  categories: 

•  surveys  of  violation  frequency  by  type  as  reported  anonymously  by  victim  organizations 

•  simulations  of  insider  actions  by  experimental  groups 

•  post-hoc  reviews  of  actual  cases 

The  rest  of  this  section  provides  a  high-level  overview  of  each  of  these  three  areas  of  empirical 
research. 

1.2.1  Surveys 

For  years  researchers  have  surveyed  organizations  to  gather  data  on  the  frequency  and  types  of 
computer-related  crimes  and  violations  they  have  experienced.  Two  of  the  most  prominent  sur¬ 
veys  are  the  Computer  Security  Institute  (CSI)  survey,  conducted  in  collaboration  with  the  Feder¬ 
al  Bureau  of  Investigation  (FBI),  and  the  CSO  Magazine  survey,  conducted  in  collaboration  with 
the  USSS  and  the  CERT  Insider  Threat  Center.  This  critical  information  has 

•  established  the  frequency,  types,  costs,  and  countermeasures  involved  in  a  range  of  computer 
crimes  experienced  by  a  range  of  government,  private,  and  other  participating  organizations 

•  documented  important  trends  in  computer  crimes  such  as  an  apparent  increase  in  the  sophisti¬ 
cation  of  insider  crimes  [CSO  2011]^ 

Similar  surveys  by  Verizon  have  documented  the  variety  and  seriousness  of  these  breaches  [Veri¬ 
zon  2011].  This  research  has  reconfirmed  the  continued  impact  of  insider  acts  within  the  banking 
and  finance  sector. 


This  definition  comes  from  the  USSS  website  {http://www.secretservice.gov/criminal.shtml). 

For  more  information,  see  the  article  titled  “201 1  Cybersecurity  Watch  Survey:  Organizations  Need  More  Skilled 
Cyber  Professionals  to  Stay  Secure”  [CSO  2011], 
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1.2.2  Simulations 


Computer  scientists  have  often  simulated  insider  activity  to  test  different  insider  activity  detection 
methods.  Maybury  and  colleagues  performed  one  of  the  most  thoroughly  reported  simulations  of 
this  kind  [Maybury  2005].  They  assessed  the  timeliness  and  accuracy  of  several  prototype  tech¬ 
niques  to  provide  early  warning  of  malicious  insider  activity  in  an  operational  setting.  More  re¬ 
cently,  Caputo  and  colleagues  employed  a  blind  control  group  format  to  an  insider  simulation.  In 
a  double-blind,  control-group  experimental  design,  Caputo  and  colleagues  compared  volunteer 
MITRE  employees  acting  as  highly  motivated  malicious  versus  benign  insiders  in  pursuit  of  simi¬ 
lar  information  targets  [Caputo  2009a,  Caputo  2009b].  The  study’s  design  addressed  a  critical 
deficiency  in  the  insider  threat  literature:  the  lack  of  control  groups  involving  insiders  who  violate 
policies  or  laws  with  versus  without  malicious  intent.  The  research  revealed  that  these  groups 
used  somewhat  different  approaches  that  could  distinguish  their  motivation  for  security  profes¬ 
sionals. 

While  simulations  are  excellent  for  conducting  exploratory  research,  testing  detection  methods, 
and  overcoming  gaps  in  more  naturalistic  research  designs,  researchers  and  practitioners  should 
work  closely  together  to  generalize  the  results  to  actual  insider  activity  within  the  banking  and 
finance  sector.  Empirically  derived  lessons  learned  need  to  be  interpreted  and  evaluated  by  securi¬ 
ty  personnel  in  this  area. 

1 .2.3  Case  Studies  and  Other  Empirical  Research 

The  Defense  Personnel  Security  Research  Center  (PERSEREC)  compiled  information  related  to 
espionage  and  insider  events  and  produced  two  data  sets  that  are  available  for  research.  The  Na¬ 
tional  Security  Espionage  Database  contains  publicly  available  information  on  espionage  against 
the  United  States  and  includes  200  case  variables  describing  more  than  150  criminal  events 
[Herbig  2002].  While  this  data  set  provides  an  invaluable  overview  of  these  cases  over  time,  it 
does  not  provide  the  level  of  information  available  from  more  in-depth  case  studies  with  addition¬ 
al  data  sources,  such  as  interviews  with  investigators,  suspects,  and  their  co-workers  and  legal 
records.  This  detailed  information  is  critical  to  deriving  practical  lessons  for  security  practitioners. 
However,  the  PERSEREC  did  compile  more  detailed  data  on  80  cases  involving  insiders  who 
targeted  the  U.S.  Department  of  Defense,  military  contractors,  and  other  components  of  the  U.S. 
critical  infrastructure  [Fischer  2003].  Shaw,  Ruby,  and  Post  reported  more  detailed  data  on  a  sub¬ 
set  of  these  cases  [Shaw  1998]. 

Shaw  and  Fischer  used  a  multiple-source,  case-study  approach  to  examine  10  cases  of  malicious 
insider  information  technology  (IT)  activity  in  critical  infrastructure  industries  [Shaw  2005].  For 
each  case,  they  examined  the  background  of  the  event,  the  environment  in  which  it  occurred,  the 
specifics  of  the  event,  the  motivations  of  the  subject,  the  investigative  and  legal  actions  taken,  and 
the  lessons  learned. 

CERT  Insider  Threat  Center  research  has  focused  on  malicious  insider  threat  compromises  that 
have  been  adjudicated  in  the  United  States.  In  2002,  the  Insider  Threat  Study  Team,  composed  of 
USSS  behavioral  psychologists  and  CERT  information  security  experts,  collected  approximately 
150  insider  threat  cases  that  occurred  in  U.S.  critical  infrastructure  sectors  between  1996  and  2002 
and  examined  them  from  both  a  technical  and  a  behavioral  perspective.  The  USSS  and  DHS  S&T 
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funded  this  project.  A  subsequent  study  examined  23  incidents  of  illicit  insider  activity  in  the 
banking  and  finance  sector  and  reported  the  following  key  findings  [Randazzo  2004] : 

•  In  87  percent  of  the  cases,  the  insider  used  legitimate  system  commands  in  committing  the 
malicious  activity.  The  insiders  needed  little  technical  sophistication  because  they  tended  to 
exploit  known  or  newly  discovered  design  flaws  in  systems  used  to  enforce  business  rules  or 
policies. 

•  Of  the  perpetrators,  81  percent  planned  their  actions  in  advance. 

•  In  85  percent  of  the  cases,  someone  else  knew  about  the  insider’s  actions  before  or  during 
the  malicious  acts. 

•  In  8 1  percent  of  the  cases,  financial  gain  motivated  the  perpetrators.  Revenge  was  the  moti¬ 
vator  in  23  percent  of  the  cases,  and  27  percent  of  the  perpetrators  were  experiencing  finan¬ 
cial  difficulties  at  the  time  they  committed  the  acts. 

•  Perpetrators  came  from  a  variety  of  positions  and  backgrounds  within  the  victim  organiza¬ 
tion,  but  management  had  identified  33  percent  of  them  as  “difficult”  and  17  percent  as  “dis¬ 
gruntled.” 

•  Audit  logs  helped  to  identify  the  insiders  in  74  percent  of  the  cases. 

•  Of  the  victim  organizations,  9 1  percent  suffered  financial  loss,  with  amounts  ranging  from 
hundreds  to  hundreds  of  millions  of  dollars. 

•  Of  the  perpetrators,  80  percent  committed  the  malicious  acts  while  at  work,  during  working 
hours. 

The  USSS  and  the  CERT  Insider  Threat  Center  published  the  results  of  the  study  in  a  series  of 
case  analyses  in  the  banking  and  finance  sector  [Randazzo  2004],  the  IT  sector  [Kowalski  2008a], 
the  government  sector  [Kowalski  2008b],  and  IT  sabotage  across  all  critical  infrastructure  sectors 
[Keeney  2005].  The  2004  USSS/CERT  Insider  Threat  Study  laid  the  foundation  for  extensive 
follow-on  research  within  the  CERT  Insider  Threat  Center,  including  the  development  of  models, 
reports,  training,  and  tools  to  accomplish  the  following: 

•  raise  awareness  of  the  risks  of  insider  threat 

•  help  identify  the  factors  influencing  an  insider’s  decision  to  act 

•  help  identify  the  indicators  and  precursors  of  malicious  acts 

•  identify  countermeasures  that  will  improve  the  survivability  and  resiliency  of  the  organization 

Over  the  past  seven  years,  Carnegie  Mellon’s  CyLab,*  followed  by  DHS  National  Cyber  Security 
Division  Federal  Network  Security  Branch,  funded  the  CERT  Insider  Threat  Center  to  update  its 
case  library  with  more  recent  cases.  Over  550  additional  cases  were  collected  and  coded  in  the 
CERT  insider  threat  database,  bringing  the  case  library  total  to  over  700.  The  general  structure  of 
the  database,  depicted  in  Figure  17  on  page  51,  includes  30  major  constructs  and  is  operational¬ 
ized  by  hundreds  of  specific  variables. 


For  more  information,  visit  the  CyLab  website  {http://www.cylab.cmu.edu/). 


CMU/SEI-2012-SR-004  |  4 


1.3  Theory  Related  to  the  Insider  Threat 


There  is  an  abundance  of  literature  on  counterproductive  work  behavior  (CWB),  which  Sackett 
defines  as  “any  intentional  behavior  on  the  part  of  an  organizational  member  viewed  by  the  organ¬ 
ization  as  contrary  to  its  legitimate  interests”  [Sackett  2002a].  CWB  includes  a  wide  variety  of 
both  self-destructive  and  retaliatory  behaviors,  but  it  specifically  encompasses  sabotage,  stealing, 
fraud,  and  vandalism.  Sackett  also  provides  a  thorough  review  of  the  CWB  literature  and  groups 
the  antecedents  of  CWB  into  personality  variables,  job  characteristics,  work  group  characteristics, 
organizational  culture,  control  systems,  and  perceived  injustice  [Sackett  2002b].  This  work  sup¬ 
ports  Shaw’s  research  and  the  CERT  Insider  Threat  Center’s  previous  research  findings  on  per¬ 
sonal  predispositions  and  organizational  and  individual  stressors  as  antecedents  of  a  range  of  ma¬ 
licious  activity  [Shaw  2006,  Band  2006]. 

The  primary  personality  model  used  in  CWB  research  is  the  Five  Factor  Model  (FFM),  which 
includes  dimensions  of  openness  to  experience,  extraversion,  conscientiousness,  agreeableness, 
and  emotional  stability.  After  reviewing  the  literature  on  the  FFM  dimensions  and  CWBs,  Salga- 
do  found  44  studies  conducted  between  1990  and  1999  that  examine  the  relationships  between  the 
FFM  dimensions  and  deviant  behaviors  (17),  absenteeism  (13),  work-related  accidents  (9),  and 
turnover  (5)  [Salgado  2002].  This  work  showed  that  low  levels  of  conscientiousness  and  agreea¬ 
bleness  were  significant,  valid  predictors  of  workplace  deviance.  Related  work  showed  that  work¬ 
place  stress  and  the  perceived  status  of  the  insider  within  the  organization  were  correlated  with 
CWBs  [Mount  2006,  Stamper  2002]. 
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2  Research  Method 


The  primary  goal  of  the  current  research  is  to  produce  empirically  derived  findings  from  insider 
and  outsider  computer  criminal  activity  within  the  banking  and  finance  sector  to  help  security  pro¬ 
fessionals  prevent,  detect,  and  manage  malicious  insider  activity  and  risk.  This  section  provides 
an  overview  of  the  research  method,  including  subject  or  case  selection  criteria  and  sources,  case 
coding  procedures,  and  the  system  dynamics  modeling  approach. 

The  central  question  addressed  by  this  research  is 

What  are  the  observable  technical  and  behavioral  precursors  of  insider  fraud  in  the  cases 
examined  for  this  study,  which  are  drawn  from  the  financial  sector,  and  what  mitigation 
strategies  should  be  considered  as  a  result? 

This  research  applied  the  multiple  (or  comparative)  case  study  method  described  by  Yin,  Kaarbo, 
and  Beasley  [Yin  2009,  Kaarbo  1999].  This  approach  supports  analytical  generalizations  and  hy¬ 
pothesis  testing  of  available  data  rather  than  statistical  comparisons  across  groups  or  populations 
(e.g.,  subjects  with  various  levels  of  risk  factors  who  do  and  do  not  commit  insider  acts).  Because 
it  is  difficult  to  get  separate  samples  of  individuals  with  hypothesized  risk  characteristics  who  do 
and  do  not  commit  insider  acts,  our  study  sought  general  patterns  among  demonstrated  insider 
subjects,  especially  personal  characteristics  and  behavioral  and  technical  steps  associated  with 
insider  attacks. 

2.1  Case  Identification  and  Selection 

The  following  criteria  guided  the  selection  of  insider  cases: 

1.  The  case  subject  is  a  malicious  insider  who  committed  fraud  using  some  form  of  information 
technology.  This  explicitly  excluded  many  cases  where  the  insider  defrauded  a  financial  in¬ 
stitution  by  means  of  simple  cash  drawer  theft.  ^ 

2.  The  victim  organization  is  U.S.  based. 

3.  The  subject’s  actions  were  confirmed  by  criminal  conviction,  confession,  or  other  independ¬ 
ent,  reliable,  and  verifiable  means. 

4.  Sufficient  quantity  and  quality  of  information  is  available  to  ensure  that  cases  are  of  compa¬ 
rable  depth  and  have  the  appropriate  amount  of  behavioral  and  technical  details. 


In  addition,  a  small  set  of  external  fraud  cases — cases  in  which  no  malicious  insiders  were  in¬ 
volved — were  also  studied  to  facilitate  an  informal  comparison  with  the  insider  cases.  This 
study’s  selection  of  prosecuted  cases,  including  cases  that  ended  in  a  plea  bargain,  may  have 


Two  cases  that  more  closely  resembled  IT  sabotage  and  theft  of  IP  were  retained  because  of  their  impact  and 
relevance  to  the  concerns  of  the  financial  sector. 
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caused  a  selection  bias  toward  insider  events  that  are  not  typical  of  all  insider  offenses.  It  is  gen¬ 
erally  acknowledged  that  many  insider  offenders  are  not  prosecuted  due  to 

1 .  the  difficulty  of  prosecuting  these  cases 

2.  the  costs  of  pursuing  small-value  crimes  or  crimes  where  recovery  of  misappropriated  funds 
is  unlikely 

3.  the  relatively  mild  sentences  that  often  result  from  conviction 

4.  the  potentially  negative  impact  on  the  victim  organization’s  public  image 

Prosecuted  cases  may  represent  a  distinct  subset  of  insider  events  in  which  the  victim  organization 

•  was  highly  motivated  to  work  with  law  enforcement  by  the  extent  of  the  offense  and  the  real 
and  reasonable  likelihood  of  a  successful  outcome,  such  as  recovery  of  funds 

•  needed  an  agency’s  police  powers  (e.g.,  search,  forensic  investigation,  arrest)  to  terminate 
the  activity  or  gain  redress 

Nonetheless,  these  cases  offered  the  study  team  an  added  measure  of  data  reliability. 

While  information  from  USSS  case  files  was  the  starting  point  for  our  research,  we  also  searched 
other  sources  for  information  on  these  cases,  including  various  media  outlets  (found  through 
searches  on  LexisNexis  news  databases  and  internet  search  engines  such  as  Google)  and  criminal 
justice  databases  (found  through  searches  on  LexisNexis  court  databases).  Finally,  we  conducted 
interviews  with  principal  parties  involved  in  investigating  the  incident,  primarily  the  law  en¬ 
forcement  or  bank  investigators  involved. 

2.2  Coding  Method  and  Database  Description 

Case  coding  is  a  critical  process  in  which  information  gathered  through  case  file  document  review 
and  interviews  is  entered  into  the  CERT  insider  threat  database  according  to  a  prescribed  method¬ 
ology  that  is  documented  in  a  codebook.  Appendix  B  shows  the  structure  of  the  database  used  in 
this  project,  which  is  the  same  as  the  structure  of  the  codebook  that  guided  the  coding  process. 

The  codebook  provides  operational  definitions  and  examples  of  all  the  required  items. 

Because  reliability  is  important  for  all  types  of  data  collection,  we  develop,  test,  and  follow  spe¬ 
cific  procedures  fo  ensure  fhat  data  are  collected  and  coded  in  a  consistent  and  predictable  man¬ 
ner.  To  address  consistency  in  coding,  coders  were  1)  trained  by  more  experienced  coders  and  2) 
briefed  on  the  codebook’s  conceptual  framework  and  typology  to  help  them  gain  a  clear  under¬ 
standing  of  the  contents.  Once  trained  coders  completed  cases,  a  second  coder  examined  the  cod¬ 
ing  results  to  ensure  that  details  in  the  original  source  documents  were  not  inadvertently  missed 
by  the  first  coder.  Furthermore,  a  record  quality  index  is  automatically  calculated  for  each  case;  in 
doing  so,  missing  or  blank  fields  are  flagged  so  fhat  a  coder  either  has  to  indicate  that  field  as  ex¬ 
plicitly  unknown  or  enter  the  information  found  in  the  sources. 
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2.3  Modeling  and  Analysis  Approach 


The  primary  purpose  of  our  modeling  effort  is  to  clarify  the  complex  nature  of  the  insider  fraud 
threat.  Our  models  evolved  through  a  series  of  group  data  analysis  sessions  with  individuals  expe¬ 
rienced  in  both  the  behavioral  and  technical  aspects  of  insider  crimes.  We  used  system  dynamics, 
a  method  for  modeling  and  analyzing  the  holistic  behavior  of  complex  problems  as  they  evolve 
over  time  [Sterman  2000].  System  dynamics  model  boundaries  encompass  all  the  variables  neces¬ 
sary  to  generate  and  understand  problematic  behavior.  This  approach  encourages  the  inclusion  of 
soft  factors  in  the  model,  such  as  policy-related,  procedural,  administrator,  or  cultural  factors. 

The  system  dynamics  models  for  this  project  were  developed  during  a  group  modeling  session 
and  presented  to  several  financial  organizations  prior  to  the  publication  of  this  report.  System  dy¬ 
namics  modeling  involves  identifying  the  primary  variables  of  interest,  the  influences  between 
these  variables,  and  the  feedback  loops  that  are  critical  for  understanding  the  complex  behavior 
associated  with  insider  fraud.  Our  group  modeling  session  brought  together  people  from  various 
specialty  areas,  including  clinical  psychology,  behavioral  science,  computing  science,  and  cyber¬ 
security.  The  group  studied  the  details  associated  with  and  identified  patterns  in  the  insider  fraud 
data.  The  group  modeling  process  enabled  the  team  to  step  back  and  consider  the  big  picture  at 
times  and  focus  on  individual  concepts  at  other  times.  The  goal  was  not  to  represent  all  cases  with 
perfect  accuracy  but  to  paint  a  broad  picture  that  represents  key  dynamic  aspects  of  a  preponder¬ 
ance  of  the  case  findings. 
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3  Crime  Profile  and  Findings 


Our  case  analysis  yielded  six  findings  based  on  trends  and  descriptive  statistics  observed  in  the 
case  files,  which  are  detailed  in  this  section;  however,  a  more  general  characterization  of  the  sub¬ 
jects  and  the  crimes  will  hopefully  provide  additional  insights.  The  crime  profile  describes  varia¬ 
bles  such  as  sex  and  age  of  the  subject,  but  do  not  presume  that  this  establishes  a  clear  individual 
profile  that  could  be  acted  upon.  In  fact,  it  most  likely  describes  a  profile  of  a  large  number  of 
individuals  who  work  in  this  industry.  Rather  than  infer  that  the  characteristics  we  describe  below 
could  be  used  for  targeting  in  your  workplace,  compare  them  to  your  own  organization  to  deter¬ 
mine  if  and  why  the  same  characteristics  may  or  may  not  depart  from  what  we  found  in  this  set  of 
cases.  Eighty  cases  are  included  in  the  analyses  below.  The  13  external  cases  were  not  considered 
when  calculating  the  statistics  if  they  were  not  included  in  many  of  the  analyses  relevant  mainly 
to  insider  issues. 


3.1  Subject  and  Crime  Description 


Age  at  the  Beginning  of  the  Offense 


Data  on  age  at  the  time  of  the  offense  were  available  for  58  of  the  insider  fraud  cases.  The  average 
age  at  the  initiation  of  the  crime  was  39  and  the  median  age  was  38.  Figure  1  shows  the  distribu¬ 
tion  of  cases  by  age  ranges. 


Number  of  Insider  Cases  by  Age  Range 


20-25  26-30  31-35  36-40  41-45  46-50  51-55  56-60 


Age  Ranges  (years) 


■  Number  of  Cases 


Figure  1:  Number  of  Insider  Fraud  Cases  by  Age 
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Gender 


Twenty-three  (31  percent)  of  the  67  insider  fraud  subjects  were  male  and  44  (69  percent)  were 
female.  This  finding  departs  from  our  previous  case  research  on  fraud,  which  found  gender  more 
evenly  split  between  male  and  female  subjects  [Randazzo  2004].  The  high  incidence  of  female 
perpetrators  in  this  data  does  not  indicate  a  greater  likelihood  for  females  to  commit  fraud  as 
much  as  it  may  reflect  the  distribution  of  women  in  these  roles  within  the  organizations  studied. 
For  example,  52  percent  of  the  female  subjects  were  in  non-management  positions,  while  only  30 
percent  of  the  male  subjects  were  in  non-management  positions.  This  finding  may  reflect  the  fact 
that  women  were  simply  over-represented  in  our  sample. 

Subjecf  s  Country  of  Origin 

Data  on  national  origin  were  available  for  46  of  the  67  insider  cases.  Eight  subjects  out  of  46  (17 
percent)  were  citizens  of  a  foreign  country.  No  single  country  or  region  was  consistently  repre¬ 
sented,  with  Nigeria  being  the  only  country  to  occur  more  than  once.  Others  involved  subjects 
from  China,  Guatemala,  Venezuela,  Vietnam,  Jamaica,  Guyana,  and  the  Bahamas.  Data  on  na¬ 
tional  origin  were  available  for  6  of  the  13  external  cases.  Of  those  6  cases,  3  were  U.S.  citizens 
and  3  were  from  foreign  countries. 

Monetary  Impact  and  Sentence 

Actual  damages  are  indicated  in  every  USSS  case  file  as  the  dollar  amount  the  victim  organization 
lost  as  a  result  of  the  subject’s  activities,  while  potential  damages  are  the  monetary  damages  that 
the  subject  had  the  ability  to  cause  had  he  not  been  caught.  Figure  2  shows  the  actual  and  potential 
damages  for  all  80  cases — ^the  significant  difference  between  the  average  and  median  was  in  large 
part  due  to  the  largest  case  with  an  actual  and  potential  damage  amount  of  28  million  dollars. 


Actual  and  Potential  Damages 


Actual  Damage  Potential  Damage 


■  Average 

■  Median 


Figure  2:  Average  and  Median  Actuai  and  Potentiai  Damage  (in  Doiiars) 

Though  we  examined  a  smaller  number  of  external  cases.  Figure  3  shows  the  difference  in  dam¬ 
ages,  both  average  and  median,  between  our  67  internal  cases  and  the  13  external  cases. 
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Internal  and  External  Case  Damage 
Comparison 
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Figure  3:  Comparison  of  Damages  for  Internai  and  Externai  Cases 

Figure  4  reflects  the  length  of  the  sentence,  both  in  terms  of  the  jail  time  and  the  probation  or  su¬ 
pervised  release.  Because  of  the  amount  of  larger  sentences,  the  average  time  was  higher  than  the 
median  by  about  9  months.  Subjects  were,  on  average,  sentenced  to  2.3  years  of  jail  time,  while 
they  were  given  3.2  years  of  supervised  release.  It  is  limiting  to  have  a  felony  on  one’s  record  in 
addition  to  stipulations  that  prohibit  one  from  working  in  a  fiduciary  role;  however,  consistent 
pre-employment  screening  should  be  followed  to  reduce  the  chance  that  a  previous  violation  is 
not  identified  during  the  hiring  process. 
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Sentence  Outcomes  (in  years) 


■  Sentence  Average 

■  Sentence  Median 


Jail  Time  Probation  or  Supervised 

Release 

Figure  4:  Average  and  Median  Sentence  Outcomes  (in  Years) 


The  remainder  of  this  section  will  detail  six  findings  that  we  derived  from  an  analysis  of  80  cases. 

3.2  FINDING  ONE:  Criminals  who  executed  a  “low  and  slow”  approach 
accomplished  more  damage  and  escaped  detection  for  longer. 

This  finding  addresses  the  chronological  relationships  among  important,  common  events  in  our 
cases.  We  calculated  average  times  between  those  events  to  determine  the  window  during  which 
the  victim  organization(s)  might  have  been  able  to  detect  and  respond  to  the  incident. 

3.2.1  Description 

The  milestones  we  examined  were  the  point  at  which 

1 .  the  subject  was  hired 

2.  the  subject  began  the  fraud  activities 

3.  the  victim  organization  detected  the  fraud 

4.  the  victim  organization  reported  the  fraud  to  law  enforcement  (LE) 

Data  were  available  for  the  milestones  from  47  insider  cases.  The  available  case  information 
yields  an  interesting  and  somewhat  consistent  trend  regarding  the  amount  of  time  between  these 
milestones.  Examining  only  these  milestones  provides  only  part  of  a  case  chronology,  since  it 
does  not  take  into  account  other  potentially  significant  events  in  the  life  of  the  subject  or  devel¬ 
opments  within  the  victim  organization.  However,  it  may  suggest  windows  of  opportunity  during 
which  specific  measures  may  prevent  or  disrupt  the  fraud  activities  or  lessen  their  ultimate  impact. 
Figure  5  shows  the  average  timeline  for  the  47  cases  where  this  data  were  available. 
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Figure  5:  Average  Timeline  of  a  Case  (in  Months) 

There  are,  on  average,  over  5  years  between  a  subject’s  hiring  and  the  start  of  the  fraud.  Though 
some  subjects  may  have  started  planning  and  even  executing  their  fraud  before  the  first  known 
instance  of  fraud  captured  in  the  case,  this  analysis  indicates  that  subjects  worked  for  a  long  peri¬ 
od  of  time  without  conducting  any  fraudulent  activities.  Though  we  observed  personal  and/or  fi¬ 
nancial  straggles  in  individual  cases  that  led  to  those  subjects  committing  their  fraud,  there  was 
not  a  known,  common  event  (e.g.,  divorce,  personal  bankruptcy,  change  of  work  assignment)  that 
immediately  preceded  or  triggered  the  fraud. 

More  concerning  are  the  32  months  between  the  beginning  of  the  fraud  and  its  detection  by  the 
victim  organization  or  law  enforcement.  This  period  suggests  another  lengthy  period  during  which 
organizations  may  be  able  to  counter  the  fraud,  if  not  prevent  it.  Stopping  the  fraud  during  this 
period  could  lessen  its  impact  on  the  victim  organization. 

Comparing  potential  and  actual  monetary  damages  to  the  duration  of  the  crime  may  suggest  what 
controls  may  have  been  effective  at  detecting  fraud  activities.  Figure  6  shows  an  interesting,  alt¬ 
hough  not  entirely  consistent,  picture  of  this  comparison. 
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Though  the  data  do  not  show  a  definitive  correlation  where  the  longer  duration  crimes  clearly 
cause  more  financial  impact,  they  do  show  some  interesting  trends.  The  lower  50  percent  of  cases 
(under  32  months  in  length)  had  an  average  actual  monetary  impact  of  approximately  $382,750, 
while  the  upper  50  percent  (at  or  over  32  months  in  length)  had  an  average  actual  monetary  im¬ 
pact  of  approximately  $479,000.  The  “low  and  slow”  crimes  had,  on  average,  132  fraud  events 
over  the  course  of  the  crime.  The  highest  number  of  fraud  events  during  a  crime  was  756  over  a 
duration  of  47  months.  Cases  with  durations  of  32  months  or  longer  and  a  known  number  of  fraud 
events  always  had  over  a  dozen  theft  events,  with  the  lowest  number  of  theft  events  for  a  case 
being  18.  Excluding  an  upper  outlier  of  756,  the  average  number  of  thefts  for  a  case  32  months  or 
longer  is  58  theft  events. 

Victim  organizations  were  apparently  effective  at  detecting  the  crimes  that  took  place  for  a  short 
period  of  time,  even  though  the  subjects  were  still  able  to  cause  significant  financial  damage.  Vic¬ 
tim  organizations  were  not  as  effective  at  detecting  the  longer  term  crimes,  and  the  incremental 
damage  (i.e.,  monthly,  weekly  amount  stolen)  was  much  lower  in  these  cases,  which  may  not 
have  drawn  as  much  attention.  We  recommend  that  financial  organizations  examine  areas  of  their 
business  in  which  an  insider  may  be  able  to  defeat  controls  where  thresholds  of  activity  (e.g., 
manager  approval  for  transactions  exceeding  $10,000)  may  not  be  reached. 

Organizations  should  attempt  to  address  fraud  crimes  by  deploying  controls  that  would  be  effec¬ 
tive  for  the  large  thefts  that  occur  in  short  periods  of  time  as  well  as  the  small  thefts  that  continue 
for  long  periods  of  time. 
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Finally,  an  average  of  nearly  five  months  elapsed  between  the  victim  organizations’  discovery  of 
the  fraud  (and  usually  the  termination  of  the  accused  insider)  and  their  request  to  law  enforcement 
personnel  for  investigative  and  legal  assistance.  Some  of  these  victim  organizations  may  have 
waited  to  gather  the  required  evidence  before  involving  external  parties.  But  involving  law  en¬ 
forcement  earlier  in  this  period  may  have  permitted  the  victim  organizations  to  at  least  recover 
from  the  incident  more  quickly. 


Case  Example  #1 

The  insider  worked  as  an  accountant  for  a  certified  public  accounting  firm.  Due  to  her 
good  performance,  her  employer  decided  to  make  her  solely  responsible  for  the  accounts 
of  two  client  companies,  one  of  which  was  her  supervisor’s  other  business,  a  staffing 
agency.  The  insider  eventually  created  a  fake  employee  on  the  payroll  of  her  supervisor's 
business.  Over  the  course  of  6  years,  the  insider  used  this  fake  identity  to  pay  herself 
money  from  the  staffing  agency.  Several  times  she  also  issued  fraudulent  checks  on  be¬ 
half  of  the  business  and  had  them  deposited  to  her  personal  accounts.  The  insider  was  fi¬ 
nally  caught  when  her  supervisor  was  preparing  to  buy  a  house  and  discovered  a  large 
amount  of  cash  missing  tfom  one  of  the  staffing  agency’s  accounts.  She  confronted  the 
insider  about  the  situation,  and  the  insider  admitted  to  the  crime.  According  to  the  insid¬ 
er,  she  stole  the  money  for  daily  expenses  and  to  pay  her  credit  card  debt.  While  she  had 
stolen  more  than  $100,000,  she  had  already  paid  back  approximately  $23,000.  The  insid¬ 
er  was  indicted  on  charges  of  wire  fraud  and  check  fraud  and  eventually  pled  guilty.  She 
was  sentenced  to  15  months  in  prison  and  3  years’  probation  and  was  ordered  to  repay 
the  remaining  $77,000  of  the  stolen  money. 


3.2.2  Conclusions  /  Recommendations 

This  finding  indicates  that  there  may  be  several  points  in  the  evolution  of  fraud  crimes  that  organ¬ 
izations  can  take  advantage  of  to  prevent,  detect,  or  respond  to  fraud.  As  such,  organizations 
should  examine  current  or  potential  business  practices,  policies,  or  procedures  and  the  extent  to 
which  those  are  or  might  be  effective  to  prevent,  detect,  or  respond  to  fraudulent  activities.  The 
fraud  event  durations  might  also  provide  a  benchmark  timeline  to  members  of  the  financial  ser¬ 
vices  community. 

Flowever,  we  believe  organizations  could  take  this  information  one  step  turther.  They  could  com¬ 
pare  their  own  practices,  such  as  Employee  Assistance  Programs,  to  the  timeline  to  determine 
what  might  deter  an  employee  who  may  be  considering  engaging  in  illegal  acts.  Before  the  perpe¬ 
trator’s  personal  and/or  financial  struggles  get  the  best  of  them,  reach  out  to  them  with  assistance 
or  some  will  find  illegal  means  of  solving  their  problems.  Additionally,  to  ensure  that  their  finan¬ 
cial  obligations  are  not  putting  them  at  risk,  for  some  employees  it  might  be  worthwhile  to  repeat 
a  subset  of  pre-employment  screening  practices. 

Employing  tactics  such  as  these  could  have  helped  to  identify  employee  risk  factors,  the  presence 
of  which  could  have  justified  closer  examination  of  some  or  all  of  the  employee’s  transactions. 
Finally,  this  finding  suggests  that  it  would  be  prudent  to  develop  and  maintain  a  proactive  rela¬ 
tionship  with  members  of  law  enforcement  so  that  they  can  be  meaningfully  involved  as  soon  as  it 
is  appropriate. 
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3.3  FINDING  TWO:  Insiders’  means  were  not  very  technically  sophisticated. 

Very  few  of  the  subjects  served  in  a  technical  role  (e.g.,  database  administrator)  or  conducted 
their  fraud  by  using  explicitly  technical  means.  The  data  suggest  that  most  subjects  who  used  in¬ 
formation  systems  used  them,  however  fraudulently,  for  their  intended  purpose.  For  example, 
numerous  subjects  executed  fraudulent  wire  transfers  using  information  systems.  This  fraud  did 
not  require  a  high  degree  of  technical  sophistication  or  extensive  knowledge  of  the  control  mech¬ 
anisms.  It  was  merely  the  system  that  everyone  used  to  complete  that  particular  transaction. 

One  important  question  this  study  sought  to  answer  was  “What  kind  of  employees  in  the  banking 
and  finance  industry  are  most  likely  to  commit  fraud?”  The  data  in  our  research  overwhelmingly 
point  to  employees  in  non-technical  positions.  For  example,  if  fake  vendors  have  been  added  to  a 
payroll  system,  the  fraud  is  far  less  likely  to  have  been  committed  by  a  database  administrator 
hacking  into  the  payroll  systems  than  a  payroll  administrator,  responsible  for  paying  vendors,  with 
legitimate  access  to  the  system. 

3.3.1  Description 

In  the  majority  of  the  fraud  cases  studied,  subjects  had  no  need  for  technical  sophistication  or  sub¬ 
terfuge  to  carry  out  their  fraud-related  activities.  If  a  case  involved  a  subject  who  performed  busi¬ 
ness  operations  commensurate  with  their  normal  duties  and  involved  no  technical  attack  methods, 
it  was  categorized  as  an  Authorized  Use  case.  Of  the  80  fraud  cases  coded,  57  (71  percent)  cases 
relied  on  some  form  of  authorized  use  or  non-technical  bypass  of  authorized  processes.  Of  the  57 
cases,  52  involved  subjects  using  some  form  of  previously  authorized  access  to  carry  out  the 
fraud.  Finally,  in  5  of  the  57  cases,  the  subject  used  some  non-technical  method  to  bypass  author¬ 
ized  processes  and  commit  the  fraud.  For  example,  more  than  one  insider  altered  bank  statements 
to  cover  up  the  fraudulent  transfers  that  had  been  completed  and  then  hand-delivered  those  bank 
statements  to  the  customer. 

While  the  insiders’  methods  were  largely  non-technical,  the  insiders  themselves  also  held  non¬ 
technical  positions.  Organizations  can  focus  on  implementing  controls  that  monitor  non-technical 
insiders  whose  activities  and  system  usage  patterns  may  be  inherently  different  than  those  of  IT 
personnel. 

Of  the  80  cases  in  the  data  set,  only  6  involved  subjects  with  some  kind  of  technical  position.  Of 
those  6  cases,  half  were  helpdesk  employees  and  half  were  programmers.  In  9  of  the  cases,  we 
were  either  unable  to  conclusively  determine  if  the  person  committing  the  crime  (whether  an  in¬ 
sider  or  outsider)  was  technical  or  we  were  unable  to  determine  the  exact  identity  of  the  criminal. 


CMU/SEI-2012-SR-004  |  16 


Non-technical  subjects  were  responsible  for  the  remaining  65  (81  percent)  incidents.  Seven  of 
those  subjects  were  external  attackers,  but  their  methods  were  non-technical.  Figure  7  represents 
the  distribution  of  technical  versus  non-technical  positions  held  by  insider  fraudsters. 


Insider: 

Unknown  12%  Technical  8% 


Figure  7:  Insider  Position  Types 

The  few  technical  cases  yielded  some  interesting  observations.  The  three  cases  that  were  conduct¬ 
ed  by  helpdesk  employees  were  motivated  strictly  by  financial  gain.  In  two  of  the  cases,  the  insid¬ 
ers  stole  PII  using  their  authorized  access;  one  sold  the  information,  and  one  used  the  information 
to  directly  steal  funds.  The  third  helpdesk  employee  also  used  her  authorized  access  as  a  means  to 
directly  siphon  funds,  but  rather  than  steal  customers’  legitimate  information,  she  modified  the 
information  by  setting  herself  up  as  an  authorized  user. 

The  three  cases  involving  programmers  were  more  diverse  and  driven  by  different  motives.  One 
programmer  conducted  fraud  for  personal  financial  gain  by  using  his  abilities  and  privileges  to 
bypass  security  controls.  Another  programmer  sabotaged  her  organization  because  she  was  dis¬ 
gruntled.  The  final  case  involved  the  theft  of  intellectual  property  (IP)  by  two  programmers  who 
were  dissatisfied  with  their  positions  and  desired  positions  at  a  competing  organization.  Though 
these  two  crimes  were  not  as  closely  aligned  with  fraud  activities  as  the  majority  of  our  other  cas¬ 
es,  we  included  them  in  this  analysis  because  of  their  impact  and  because  we  heard  from  several 
financial  sector  representatives  that  this  type  of  crime  concerns  them  as  well. 

In  four  of  these  six  cases,  the  insiders  did  not  need  any  technical  methods  to  conduct  their  crime; 
they  used  the  access  privileges  afforded  to  them  by  their  positions.  In  the  case  where  the  pro¬ 
grammer  conducted  fraud,  he  used  a  compromised  co-worker’s  account  with  an  easily  guessed 
password  to  bypass  an  authorized  process.  In  the  single  case  of  sabotage,  the  recently  terminated 
insider  used  social  engineering  to  get  her  remote  access  account  reactivated  and  used  the  ac¬ 
count’s  privileges  to  conduct  the  fraud. 
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To  some  extent,  the  inherently  greater  level  of  privilege  granted  to  these  technical  insiders  ena¬ 
bled  their  crimes.  These  privileges  were  often  necessary  for  the  insiders  to  perform  their  legiti¬ 
mate  job  duties,  so  organizations  must  ensure  that  technical  insiders  are  using  their  privileges  ap¬ 
propriately. 


Case  Example  #2 


Non-Technical 

The  subject  worked  as  a  vice  president  for  a  federal  credit  union.  As  part  of  his  job,  he  was 
given  a  corporate  credit  card  to  use  for  business  purposes  only.  Soon  after  being  hired  and 
continuing  throughout  his  employment,  the  insider  used  this  corporate  credit  card  to  pay  for 
personal  expenses.  The  insider  also  used  the  card  to  take  out  cash  advances  on  a  few  occa¬ 
sions,  even  though  doing  so  violated  company  policy.  To  justify  the  cash  advances,  the  in¬ 
sider  created  fake  invoices  on  his  business  laptop  and  forwarded  them  to  the  appropriate 
departments  within  the  organization.  He  also  falsely  claimed  that  the  personal  expenses  on 
the  card  were  for  legitimate  business  purposes.  For  example,  the  insider  used  the  card  to  pay 
restaurant  bills  and  later  claimed  that  the  meals  were  for  his  employees;  however,  later  in¬ 
vestigations  revealed  that  the  subject  had  not  treated  any  employees  to  meals.  The  subject 
was  able  to  continue  his  fraudulent  scheme  by  creating  a  fake  contract  with  his  wife’s  third- 
party  organization  and  then  paying  the  organization  for  fake  services  via  wire  transfer. 


CMU/SEI-2012-SR-004  |  18 


Case  Example  #3 

Technical 

The  insider  was  employed  as  a  lead  software  developer  at  a  prominent  credit  card  company, 
which  offered  a  rewards  program  where  customers  could  earn  points  based  on  the  volume 
and  frequency  of  their  credit  card  usage.  These  points  could  later  be  redeemed  for  gift  cards, 
services,  and  other  items  of  monetary  value.  Due  to  the  high  transaction  volume  of  corporate 
accounts,  a  typical  corporate  account  could  hypothetically  accumulate  an  immense  number 
of  rewards  points.  Therefore,  the  rewards  points  program  was  configured  in  such  a  way  that 
the  back-end  software  would  not  allow  corporate  accounts  to  earn  points.  At  an  unknown 
date,  the  insider  devised  a  scheme  by  which  he  could  earn  fraudulent  rewards  points  by  by¬ 
passing  the  back-end  checks  in  the  software  and  linking  his  personal  accounts  to  corporate 
business  credit  card  accounts  of  third-party  companies.  After  compromising  a  co-worker’s 
domain  account  by  guessing  the  password,  he  was  able  to  implement  a  backdoor  that  al¬ 
lowed  him  to  successfully  link  his  personal  accounts  to  several  corporate  accounts.  The  in¬ 
sider  cashed  in  the  rewards  points  for  items  of  value,  such  as  gift  cards  to  popular  chain 
stores,  and  sold  them  in  online  auctions  for  cash.  In  all,  the  insider  was  able  to  accumulate 
approximately  46  million  rewards  points,  $300,000  of  which  he  was  able  to  convert  into 
cash  before  being  caught  by  internal  fraud  investigators.  The  insider  admitted  to  the  scheme 
and  bargained  with  investigators  for  a  reduced  sentence  if  he  agreed  to  provide  information 
on  his  technical  backdoor  and  offer  insight  as  to  how  organizations  might  prevent  a  similar 
occurrence  from  happening  in  the  future. 


3.3.2  Conclusions  /  Recommendations 

The  most  important  lesson  from  this  finding  is  that  the  seemingly  least-threatening  employees — 
the  ones  without  technical  knowledge  or  privileged  access  to  organizational  systems — can  still 
use  organizational  systems  to  cause  significant  damage.  This  finding  reinforces  our  recommenda¬ 
tion  that  organizations  must  adhere  to  good  security  principles  when  developing  policies  and  con¬ 
trols  to  protect  themselves  from  malicious  insiders.  In  the  large  majority  of  the  studied  cases,  the 
insiders  did  not  require  technical  knowledge  to  commit  their  crimes.  They  easily  bypassed  securi¬ 
ty  controls  or  concealed  their  actions  with  non-technical  actions  and  exploited  insufficient  access 
controls  that  were  put  in  place  by  their  organization. 

We  recommend  that  organizations  guide  their  policies  and  practices  by  commonly  accepted  secu¬ 
rity  principles,  such  as  access  control,  least  privilege,  and  separation  of  duties.  Restricting  the  lev¬ 
el  of  employee  access  to  that  necessary  to  perform  job  duties  may  have  prevented  several  of  the 
cases  described  in  this  section. 

Organizations  should  assume  that  ill-intentioned  employees  will  leverage  the  most  easily  exploit¬ 
able  vulnerabilities  first;  often,  such  vulnerabilities  are  within  the  reach  of  most  non-technical 
personnel.  No  amount  of  intmsion  detection  systems,  database  triggers,  or  host  system  hardening 
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procedures  will  defend  against  an  insider  with  authorized  access  to  data.  Therefore,  an  organiza¬ 
tion  can  only  begin  to  minimize  or  prevent  costly  insider  attacks  if  it  continually  builds  its  policies 
and  procedures  on  the  foundation  of  tmsted  information  security  principles. 

3.4  FINDING  THREE:  Fraud  by  managers  differs  substantially  from  fraud  by  non¬ 
managers  by  damage  and  duration. 

Previous  insider  threat  research  into  fraud  activities  indicated  that  non-managers  were  the  primary 
perpetrators  of  malicious  activity.  In  this  study,  we  observed  two  main  types  of  fraudsters:  those 
who  occupied  senior  positions  (e.g.,  executives,  branch  managers)  and  those  who  were  more  jun¬ 
ior  in  the  organizational  structure.  The  crimes  of  these  two  types  of  insiders  show  substantial  dif¬ 
ferences,  and  organizations  can  use  this  information  to  identify  alternate  measures  of  detection  or 
even  prevention. 

3.4.1  Description 

Of  the  67  insider  cases  used  for  this  study,  all  but  6  documented  the  subjects’  workplace  role  (e.g., 
teller,  teller  manager,  vice-president  [VP]).  Of  these  61  subjects,  31  (51  percent)  were  managers, 
VPs,  supervisors,  or  bank  officers.  The  remaining  30  subjects  (49  percent)  did  not  hold  superviso¬ 
ry  positions,  though  they  often  served  in  fiduciary  roles  and  may  have  had  sufficient  tenure  at  the 
victim  organization  to  have  been  very  trusted.  Since  more  than  half  of  the  insiders  were  serving  in 
supervisory  roles,  it  is  worth  examining  some  of  the  other  case  criteria  about  managers  and  non¬ 
managers,  such  as  differences  in  monetary  impact  and  how  they  executed  their  crimes. 


Figure  8  shows  the  actual  monetary  damages  caused  by  managers  and  non-managers. 


Figure  8:  Actual  Damages  by  Position  Type 
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The  average  monetary  damage  by  managers  seems  very  high,  but  it  is  skewed  by  one  large  outli¬ 
er.  The  median  values,  which  address  outliers  both  high  and  low,  may  give  a  better  sense  of  these 
numbers.  The  median  results  show  that  managers  consistently  cause  more  actual  damage 
($200,106)  than  non-managers  ($112,188). 

Crime  duration  also  shows  an  interesting  difference.  Non-managers’  crimes  lasted  an  average  of 
18  months,  while  managers’  crimes  almost  doubled  to  an  average  of  33  months.  One  explanation 
of  this  disparity  in  crime  duration  is  that  managers  took  advantage  of  their  superior  access  to  in¬ 
formation  and  relative  lack  of  supervision  to  sustain  longer  crimes. 

Our  analysis  categorized  the  non-managers  into  the  following  employment  types: 

•  accounting  (6  subjects) — employee  whose  primary  responsibility  is  that  of  an  accountant  or 
equivalent 

•  customer  service  (14  subjects) — employee  whose  primary  responsibility  is  interacting  with 
the  victim  organization’s  customers 

•  analyst  (3  subjects) — employee  whose  duties  deal  with  some  sort  of  analysis  other  than  ac¬ 
counting  activities 

•  technical  (4  subjects) — employee  whose  duties  deal  with  some  technical  facet  of  operations, 
such  as  engineers  or  other  IT  personnel 

•  other  (3  subjects) — anything  that  could  not  be  accurately  categorized  as  one  of  the  above 

Table  1  shows  the  crime  duration  (in  months),  average  actual  damage  (in  dollars),  and  damage  per 
month  (in  dollars)  for  the  first  four  categories  of  non-managers.  The  “other”  category  is  not  in¬ 
cluded  because  the  associated  job  roles  were  too  disparate  to  be  considered  a  coherent  group. 


Table  1:  Comparison  of  Damage  and  Crime  Duration  by  Non-managers 


Categories 

Accounting 

Customer  Service 

Technical 

Analysis 

Duration  Average,  (Months) 

41 

10 

26 

20 

Average  Damages,  Actual 

$  472,096 

$  191,338 

$  104,430 

$  54,785 

Damage  per  Month,  Average 

$  1 1 ,627 

$  18,350 

$4,041 

$  2,785 

On  average,  accounting  employees  did  the  most  actual  damage,  followed  by  customer  service 
employees  and,  with  much  less  damage,  technical  and  analysis  employees.  These  numbers  make 
sense,  given  that  the  accounting  employees  had  the  ability  to  illegally  transfer  funds  and  often  had 
access  to  PIT  It  also  follows  that  they  were  able  to  continue  their  schemes  for  the  longest  amount 
of  time  since  they  were  often  the  first  and  last  line  of  defense  for  proper  accounting  procedures. 
Though  customer  service  representatives  were  also  able  to  cause  significant  damage  on  average, 
their  schemes  did  not  go  on  nearly  as  long;  in  fact,  their  schemes  had  the  shortest  duration  of  all. 
This  may  have  been  because  their  activities  were  more  easily  audited  and  detected,  and  also  per¬ 
haps  because  they  were  generally  not  in  supervisory  roles  and  were  thus  able  to  hide  or  explain 
their  actions  with  exception  handling. 
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Case  Example  #4 


Manager 

The  insider  worked  as  a  branch  manager  of  a  national  banking  institution.  The  insider’s  fa¬ 
ther  had  a  criminal  history  and  while  in  prison  had  met  a  man  who,  after  he  was  released, 
eventually  started  running  an  identity  theft  scheme.  Sometime  after  being  released,  the  fa¬ 
ther  put  his  prison  friend  (the  outsider)  in  touch  with  his  son  (the  insider)  in  the  hopes  that 
the  insider  would  help  steal  account  information  using  his  privileged  access.  The  outsider 
offered  to  pay  the  insider  $1,000  for  each  account.  While  the  insider  initially  refused,  his 
father  was  eventually  able  to  persuade  him  to  take  part  in  the  fraud  scheme.  Over  a  three- 
month  period,  the  outsider  asked  the  insider  for  the  account  information  of  25  specific  peo¬ 
ple.  The  insider  divulged  this  information  over  the  phone  at  work  and  on  paper  documents 
outside  of  work.  The  outsider  made  fake  identifications  using  the  account  information  and 
had  a  team  of  complicit  cashiers  who  walked  into  banks  and  made  fraudulent  withdrawals. 
In  total,  $228,000  was  stolen.  Once  investigators  received  reports  from  customers  whose 
accounts  had  been  compromised,  they  were  able  to  use  the  access  logs  of  customer  records 
to  trace  the  fraud  to  the  insider.  The  insider  admitted  to  the  scheme,  and  even  helped  inves¬ 
tigators  conduct  a  sting  operation  to  apprehend  the  outsider.  Considering  that  he  helped  to 
catch  the  outsider,  who  had  an  extensive  criminal  history  and  numerous  charges,  the  insider 
was  sentenced  to  time  served  and  two  years  of  supervised  release. 


Case  Example  #5 

Non-Manager 

The  insider  worked  as  the  loan  processor  for  a  banking  institution.  As  part  of  her  job  re¬ 
sponsibilities,  she  had  full  privileges  to  read  and  modify  loan  information  within  the  organi¬ 
zation.  She  took  out  two  legitimate  loans  totaling  $39,000  from  her  employer  organization 
for  her  own  personal  expenses,  which  in  itself  was  not  a  violation  of  company  policy.  How¬ 
ever,  to  help  pay  for  additional  personal  expenses,  she  used  her  privileged  access  several 
times  to  fraudulently  increase  her  personal  loan  amounts.  She  then  withdrew  the  resulting 
difference,  thereby  committing  embezzlement.  She  was  discovered  when  a  routine  audit 
revealed  that  essential  loan  documentation  was  missing  from  her  loan  account,  which  the 
insider  had  removed  to  cover  up  the  fraud.  By  the  end  of  her  scheme,  she  had  stolen  approx¬ 
imately  $1 12,000.  She  was  sentenced  to  18  months  in  prison  and  5  years’  probation  and  was 
ordered  to  pay  full  restitution. 


3.4.2  Conclusions  /  Recommendations 

Though  their  activities  and  access  may  have  differed  at  times,  managers  and  accountants  caused 
the  most  damage  from  insider  fraud  and  evaded  detection  for  the  longest  amount  of  time.  Preven¬ 
tion  strategies  for  these  two  types  of  employees  may  not  be  the  same,  but  they  both  require  that 
the  organization  closely  check,  at  least  occasionally,  even  those  who  are  in  charge  of  certain  criti- 
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cal  business  processes.  Many  of  the  victim  organizations  in  this  study  tended  to  blindly  trust  that 
the  lead  accountant  or  branch  manager  must  be  doing  things  for  the  right  reason,  even  if  their  ac¬ 
tions  violated  policies  and  procedures.  Organizations  should  consider  auditing  the  activities  of 
accountants  and  managers  on  a  more  detailed  level  or  more  frequent  basis  than  other  employees. 

It  is  essential  for  financial  organizations  to  develop  enforceable  policies  and  clearly  communicate 
them  to  all  employees,  not  just  those  responsible  for  enforcing  the  rules.  Despite  this  communica¬ 
tion,  non-managers  may  be  reluctant  to  report  when  their  supervisors  violate  rales,  especially 
rales  that  seem  to  have  little  association  with  malicious  or  criminal  conduct.  Therefore,  a  corol¬ 
lary  practice  should  be  put  in  place  to  disallow  regular  exception  handling.  For  example,  there 
was  more  than  one  case  in  which,  against  the  rales,  a  manager  insisted  that  he  deliver  customer 
account  statements  by  hand  in  the  name  of  good  customer  service.  The  manager  did  this  because 
he  had  altered  the  statements  and  thought  this  exception  would  help  him  to  avoid  detection. 

Employees  in  general  and  those  with  greater  privilege,  in  particular,  should  be  greatly  limited  in 
what  actions  they  can  perform  on  their  own  accounts,  as  well  as  the  accounts  of  their  immediate 
family  members.  We  found  that  using  scripts  to  notify  fraud-prevention  specialists  and  using  ac¬ 
cess-control  mechanisms  to  prevent  fraud  in  the  first  place,  would  have  been  effective  in  several 
of  the  cases  in  this  study. 

Finally,  financial  organizations  must  ensure  that  access  control  is  granular  enough  to  provide  only 
necessary  access  to  those  in  senior  or  supervisory  positions.  For  fraud  as  well  as  other  types  of 
insider  crimes,  we  often  see  privileges  accumulate  over  years  of  employment  without  employee 
accesses  being  closely  examined  by  the  victim  organization  until  it  is  too  late.  If  tellers  or  teller 
managers  can  complete  account  transfers,  then  should  a  branch  manager  be  able  to  perform  the 
same  activities?  Perhaps  the  answer  is  yes;  however,  the  actions  of  managers  should  be  scruti¬ 
nized  at  a  more  detailed  level  than  the  actions  of  other  employees. 

3.5  FINDING  FOUR:  Most  cases  do  not  involve  collusion. 

There  was  not  a  significant  number  of  cases  involving  collusion,  but  those  that  did  occur  general¬ 
ly  involved  external  collusion  (i.e.,  a  bank  insider  colluding  with  an  external  party  to  facilitate  the 
crime).  The  external  collusions  often  involved  an  insider  who  wanted  or  needed  an  external  party 
to  act  as  a  conduit  to  sell  stolen  PII  or  pose  as  a  legitimate  account  holder.  Further,  there  was  only 
one  case  of  collusion  that  involved  someone  in  a  supervisory  or  management  position.  This  indi¬ 
cates  that  collusion  was  not  necessary  for  those  individuals  to  commit  the  fraud.  In  the  cases  in 
this  study,  managers  involved  non-managers  in  their  crime  largely  without  the  non-managers’ 
knowledge. 

The  lack  of  internal  collusion  departs  from  some  of  our  previous  research  and  findings  about 
fraud  collusion.  For  example,  we  have  previously  captured  several  instances  of  rings  of  insiders 
completing  malicious  activities  together — one  such  collusion  was  a  ring  of  individuals  at  a  gov¬ 
ernment  agency  issuing  fraudulent  identification  cards.  Nonetheless,  the  collusion  cases  in  this 
study  did  exhibit  some  trends  that  may  inform  collusion  controls. 
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3.5.1  Description 


We  categorized  and  tracked  three  types  of  collusion  for  this  study: 

•  inside — ^An  insider  recruited  or  was  recruited  by  other  victim  organization  employees. 

•  outside — ^An  insider  recruited  or  was  recruited  by  parties  completely  external  to  the  victim 
organization. 

•  both — The  crime  involved  inside  and  outside  parties.  Either  party  could  have  done  the  re- 
cmitment. 


Figure  9  shows  the  distribution  of  the  different  types  of  collusion. 
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Figure  9:  Cases  by  Type  of  Collusion 


For  all  insider  cases,  only  13(16  percent)  involved  any  collusion.  This  relatively  small  number 
departs  from  some  of  our  previous  findings,  both  in  other  specific  sectors  and  across  all  sectors 
[Cappelli  2012].  Since  the  majority  of  fraud  collusion  in  the  financial  sector  involved  outside  ac¬ 
tors,  it  also  seems  that  the  malicious  insiders  often  required  external  assistance  to  complete  their 
crimes.  For  example,  two  cases  involved  inside  employees  paying  outside  entities  (one  of  which 
posed  as  a  vendor),  who  promptly  withdrew  money  and  shared  it  with  the  insider.  Seven  addition¬ 
al  cases  involving  external  collusion  dealt  with  the  sale  of  PIT  The  safeguarding  of  Pll,  or  lack 
thereof,  was  a  common  theme  and  is  addressed  in  Finding  Six  (see  page  27). 

In  other  sectors,  internal  collusion  often  occurs  when  it  facilitates  the  crime  or  makes  it  more  prof¬ 
itable.  This  was  the  case  in  the  single  financial-sector  case  involving  only  internal  collusion.  The 
two  insiders  had  separate  access  to  IP,  and  their  collaboration  facilitated  the  crime. 
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Case  Example  #6 

The  subject,  a  financial  institution  employee,  accessed  and  printed  account  information  be¬ 
longing  to  multiple  individuals.  This  information  was  then  provided  to  an  outsider,  her  boy¬ 
friend.  The  outsider  provided  the  information  to  associates  in  New  York  who  then  recmited 
homeless  or  indigent  people  to  enter  financial  branches,  pose  as  legitimate  account  holders, 
and  withdraw  funds  from  the  financial  institution.  The  financial  institufion  began  invesfigaf- 
ing  the  missing  funds  and  inferviewed  the  subject,  who  confessed  that  she  had  printed  the 
account  information  and  passed  it  to  an  outside  source.  The  subject  was  sentenced  to  proba¬ 
tion  (2  years)  with  home  detention  (6  months),  random  drug  testing,  and  50  hours  of  com¬ 
munity  service.  The  subject  was  also  ordered  to  repay  part  of  the  stolen  funds.  The  total 
losses  experienced  by  the  victims  exceeded  $235,000. 


3.5.2  Conclusions  /  Recommendations 

The  vast  majority  of  cases  that  involve  collusion  also  involve  the  improper  use  of  customer  in¬ 
formation  or  Plf.  Clearly,  the  black-market  value  of  such  information  motivates  employees  to  un¬ 
dertake  risky  and  illegal  activities.  Properly  controlling  access  to  Plf  has  already  emerged  as  a 
critical  issue  for  businesses,  both  to  maintain  tmsted  relationships  with  customers  and  to  avoid 
fines  and  undue  attention  from  regulators  and  law  enforcement. 

Some  of  the  insiders  who  colluded  with  others  used  particularly  low-tech  means  of  exfiltrating  the 
information,  such  as  reciting  the  information  over  the  phone  or  handwriting  it  on  paper.  In  these 
cases,  it  seems  there  is  virtually  no  technical  detection  measure  relating  to  the  data  exfiltration. 
The  fraudsters’  use  of  the  customer  account  information  was  only  caught  with  forensic  audits  af¬ 
ter  several  of  the  accounts  they  had  accessed  were  manually  flagged  for  unusual  activity.  Another 
group  of  cases  involved  the  use  of  technology,  but  not  necessarily  in  a  particularly  inventive  or 
unique  way.  For  example,  one  subject  used  screen  captures,  another  copied  and  pasted  Plf  into 
text  files,  and  many  more  printed  the  information.  Though  these  may  seem  like  normal  business 
activities,  organizations  should  strongly  consider  restricting  such  activities  on  workstations  that 
regularly  process  Plf. 

These  cases  may  indicate  that  organizations  must  implement  extremely  stringent  controls  to  ade¬ 
quately  control  employees  with  legitimate  and  regular  access  to  customer  Plf.  For  example,  we 
know  of  one  financial  institution  that  restricts  its  helpdesk  and  customer  service  representatives 
from  printing  anything  from  their  desktops  or  bringing  pencil  and  paper  into  the  environment; 
additionally,  supervisors  physically  watch  these  employees  from  a  raised  floor  above  the  employ¬ 
ees  at  all  times.  Though  this  might  be  perceived  by  some  as  extreme,  our  cases  clearly  indicate  the 
need  to  strongly  protect  access  to  Plf  and  prevent  abuse. 

3.6  FINDING  FIVE:  Most  incidents  were  detected  through  an  audit,  customer 
complaints,  or  co-worker  suspicions. 

This  finding  addresses  how  victim  organizations  in  the  study  detected  and  responded  to  incidents. 
When  the  data  were  available,  we  recorded  the  actors  involved  with  detecting  the  incident  and  the 
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methods  they  used.  We  reveal  the  most  common  and  effective  methods  of  discovering  an  insider’s 
fraud. 

3.6.1  Description 

Data  about  the  detection  and  response  phases  proved  scarce  at  times.  Of  the  80  cases  in  the  study, 
just  under  half  (45  percent)  lacked  information  on  how  the  incident  was  detected  and  by  whom, 
and  just  over  half  (5 1  percent)  lacked  information  about  the  type  of  logs  used  during  the  detection 
and  incident  response  phases.  A  fifth  of  the  cases  did  not  identify  the  primary  actors  involved  with 
incident  response. 

How  was  the  attack  detected? 

The  most  common  way  attacks  were  detected  was  through  routine  or  impromptu  audits.  An  audit 
detected  the  insider’s  fraudulent  activities  in  41  percent  of  the  cases  where  detection  methods 
were  known.  Other  non-technical  methods,  such  as  customer  complaints  and  co-workers  noticing 
suspicious  behaviors,  were  used  to  detect  39  percent  of  the  insiders.  Only  6  percent  of  the  cases 
involved  fraud-monitoring  software  and  systems,  while  the  remaining  cases  used  unknown  detec¬ 
tion  methods. 

Who  detected  the  attack? 

Over  half  of  the  insiders  were  detected  by  other  victim  organization  employees,  though  none  of 
the  employees  were  members  of  the  IT  staff  This,  in  conjunction  with  the  mere  6  percent  of  cases 
where  software  and  systems  were  used  in  detection,  seems  to  indicate  that  fraud-detection  tech¬ 
nology  was  either  ineffective  or  absent.  Most  of  the  remaining  cases  were  detected  by  customers, 
an  unfortunate  yet  likely  source  of  detection  in  cases  of  bank  fraud. 

What  logs  were  used  to  detect  the  incident? 

The  case  data  contained  limited  information  regarding  the  logs  that  were  used  during  the  detection 
and  response  phases.  However,  of  the  62  cases  with  sufficient  information,  transaction  logs,  data¬ 
base  logs,  and  access  logs  were  utilized  in  20  percent  of  the  cases.  About  10  percent  of  the  cases 
showed  strong  evidence  that  no  logs  were  used  during  detection,  often  because  the  insider  readily 
admitted  to  the  crime  before  the  evidence  was  analyzed.  The  remaining  70  percent  of  cases  pre¬ 
sented  evidence  of  log  usage  without  specifying  the  type  or  exhibited  a  mixture  of  evidence,  such 
as  surveillance  footage,  phone  records,  print  server  logs,  and  system  file  logs. 

Who  responded  to  the  incident? 

As  expected,  most  initial  responders  to  the  incidents  were  managers  and/or  internal  investigators 
(75  percent).  Some  cases  (13  percent)  also  involved  state  or  local  law  enforcement  officials  in 
addition  to  the  Secret  Service. 
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Case  Example  #7 

The  insider,  a  temporary  bank  employee,  was  responsible  for  processing  large  cash  deposits 
and  placing  them  in  the  vault  in  bank-issued  deposit  bags.  On  site  and  during  work  hours, 
the  insider  created  fake  deposit  bags  using  the  company-issued  system,  put  them  in  the  vault 
in  place  of  legitimate  deposit  bags,  and  stole  the  money  from  the  legitimate  deposit  bags.  In 
total,  during  a  three-month  period,  the  insider  stole  12  deposit  bags  containing  more  than 
$92,000.  Even  though  each  of  the  12  customers  complained  of  their  deposits  not  being  cred¬ 
ited  to  their  accounts,  it  was  not  until  the  12th  customer’s  complaint  that  the  victim  organi¬ 
zation  conducted  an  investigation.  Using  surveillance  footage  and  transaction  logs,  the  vic¬ 
tim  organization  discovered  the  insider’s  scheme. 


3.6.2  Conclusions  /  Recommendations 

The  case  data  seem  to  indicate  that  technology  played  a  very  small  role  in  enabling  victim  organi¬ 
zations  to  detect  fraud.  However,  by  itself,  this  finding  could  be  explained  or  skewed  by  other 
factors.  Perhaps  technology  was  largely  successful  at  preventing  or  detecting  fraud  before  any 
damage  occurred,  thereby  preventing  the  incident  or  checking  it  before  law  enforcement  became 
involved.  Additionally,  even  if  security  systems  had  been  collecting  useful  information  to  detect 
fraud,  the  tools  necessary  to  correlate  the  data  may  have  been  absent.  Furthermore,  the  victim  or¬ 
ganization’s  IT  staff  may  have  been  too  busy  with  other  tasks  to  adequately  monitor  the  logs. 

The  large  majority  of  cases  were  detected  by  non-technical  methods.  The  victim  organizations 
involved  in  the  80  cases  were  much  more  successful  at  detecting  fraud  by  conducting  audits,  mon¬ 
itoring  suspicious  behaviors,  and  questioning  abnormal  activities.  Organizations  should  provide 
open  and  anonymous  communication  channels  for  their  employees  to  use  if  they  suspect  their  co¬ 
workers  of  conducting  fraudulent  activity.  Additionally,  routine  and  impromptu  audits  to  inspect 
the  activities  of  all  employees  should  take  place  frequently.  No  process,  especially  exception  pro¬ 
cesses,  should  go  unchecked.  No  employee,  no  matter  how  senior,  should  be  exempt. 

3.7  FINDING  SIX — Personally  identifiable  information  (Pll)  is  a  prominent  target 
of  those  committing  fraud. 

While  selecting  cases  for  this  study,  the  research  team  reviewed  many  USSS  case  files.  One  of  the 
criteria  for  including  a  case  was  that  the  subject  had  used  some  form  of  technology  in  the  com¬ 
mission  of  the  fraud.  We  excluded  quite  a  few  cases  involving  bank  tellers  and  a  few  teller  man¬ 
agers  who  pocketed  money  from  their  cash  drawer.  These  tellers  and  managers  often  falsified 
documents  about  the  true  balance  to  avoid  detection.  Once  we  completed  our  case  selection,  we 
realized  that  many  other  employees  perform  similar  crimes — ^the  difference  is  that  these  employ¬ 
ees  raid  information  systems  instead  of  cash  drawers  and  PII  is  the  commodity  of  value. 

Clearly,  stealing  cash  from  a  drawer  yields  the  insider  immediate  and  tangible  benefits,  but  it  also 
leaves  a  trail  that  offenders  must  cover.  Given  the  large  market  for  stolen  user  and  account  cre¬ 
dentials  that  can  be  used  to  encode  a  credit  card  or  automated  teller  machine  (ATM)  card  for  im- 
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mediate  use,  PII  is  only  slightly  less  liquid  an  asset  than  cash.  Compared  to  cash  drawer  theft,  the 
trail  of  evidence  in  inappropriate  use  of  PII  may  not  always  be  as  clear.  The  insider  may  have 
merely  completed  a  normal  activity  (e.g.,  printing  customer  records)  and  used  its  outcome  to  prof¬ 
it  externally.  Because  the  PII  audit  trail  is  more  difficult  to  trace,  financial  institutions  must  re¬ 
strict  insiders’  ability  to  indiscriminately  access  and  export  such  sensitive  information. 

To  reveal  any  differences  and  better  specify  how  PII  misuse  might  be  combatted,  this  section  sep¬ 
arates  and  compares  cases  that  involve  PII  and  those  that  do  not. 

3.7.1  Description 


Because  PII  is  such  a  sensitive  and  critical  organizational  resource,  to  better  understand  this  type 
of  crime,  this  analysis  includes  all  cases  of  fraud  committed  by  subjects  internal  and  external  to 
the  victim  organization.  Of  the  80  cases,  34  percent  involved  PII  and  66  percent  did  not  (see  Fig¬ 
ure  10).  The  external  cases  were  evenly  split  between  PII  cases  and  non-PII  cases. 


■  Internal  Subject 

■  External  Subject 


Figure  1 0:  PII  and  Non-PII  Cases  by  Type  of  Subject 


Though  monetary  damages  are  only  one  measure  of  a  crime’s  severity,  we  compared  actual  mone¬ 
tary  damages  in  the  two  categories  of  cases  (PII  and  non-PII).  As  with  other  findings  and  analysis, 
there  are  several  cases  with  extremely  high  damages  that  skew  the  numbers  when  calculating  the 
average,  so  we  also  computed  the  median.  For  cases  involving  PII,  the  average  damage  per  case 
was  $222,896  and  the  median  damage  was  $52,339,  as  seen  in  Figure  II.  The  non-PII  cases  in¬ 
volved  damages  roughly  four  times  as  large,  both  for  the  average  ($1,046,670)  and  the  median 
($186,000).  The  difference  might  suggest  that  the  PII  cases  were  insignificant  or  not  worthy  of 
concern.  However,  10  PII  cases  involved  damages  that  exceeded  $100,000  and  2  involved  dam¬ 
ages  of  more  than  one  million  dollars. 
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Figure  1 1:  Average  and  Median  Damage  by  Pii  and  Non-Pi i  Cases 

A  potential  explanation  for  the  lower  damages  of  PII  cases  is  that  they  were  detected  and  stopped 
earlier  than  non-PII  cases.  The  cases  included  several  crimes  of  unknown  duration  in  both  catego¬ 
ries,  which  reduced  the  number  of  cases  with  known  duration  to  1 8  PII  cases  and  43  non-PII  cas¬ 
es.  The  crimes  involving  PII  were  consistently  shorter  in  duration.  The  median  durations  were  6 
months  for  PII  cases  and  19  months  for  non-PII  cases.  The  averages  were  much  closer,  at  19 
months  for  PII  cases  and  27  months  for  non-PII  cases.  Even  when  accounting  for  the  long- 
duration  PII  cases  bringing  the  average  up,  more  than  80  percent  of  the  subjects  committing 
crimes  involving  PII  did  so  for  less  than  2  years  before  being  caught. 

Perhaps  the  detection  mechanisms  worked  better  in  these  cases,  or  perhaps  these  criminals  were 
not  as  good  at  concealing  their  crimes.  No  matter  the  explanation,  these  cases  still  caused  signifi¬ 
cant  financial  damage  and  potentially  exposed  the  victim  organizations  to  unwanted  consequenc¬ 
es,  such  as  disclosure  requirements  and  potential  regulatory  penalties  and  fines. 

Finally,  characterizing  the  type  of  employee  that  committed  acts  of  fraud  with  PII  may  provide 
some  insight  into  mitigation  strategies.  As  in  Finding  3  (see  page  20),  we  gleaned  information 
about  the  age,  tenure,  and  seniority  of  the  subjects  from  our  case  data  and  used  it  to  compare  PII 
cases  to  non-PII  cases.  The  differences  are  described  below  and  summarized  in  Table  2. 

•  Age — noticeable  difference  emerged  for  this  variable.  The  average  age  of  subjects  (at  the 
beginning  of  the  crime)  who  misused  PII  was  32  years,  while  subjects  who  did  not  use  PII 
were,  on  average,  40  years  old.  Though  there  were  16  cases  with  unknown  ages  and  several 
subjects  on  the  extreme  ends  of  the  age  scale,  the  median  values  are  similar  to  the  averages: 
30  years  for  PII  cases  and  40  years  for  non-PII  cases.  Clearly,  those  who  used  PII  in  the 
commission  of  their  crimes  were  more  likely  to  be  closer  to  entry  into  the  workforce  than  on 
the  road  to  retirement. 

•  Tenure — For  this  variable,  we  excluded  the  external  cases  and  unknowns  from  the  calcula¬ 
tions,  leaving  47  cases  where  tenure  was  applicable  or  known.  Consistent  with  the  finding 
about  age,  the  subjects  who  were  involved  with  PII  crimes  had  not  been  with  the  victim  or- 


CMU/SEI-2012-SR-004  |  29 


ganization  as  long  as  non-PII  subjects.  PII  subjects  spent  an  average  of  less  than  8  years  (7.5 
years)  with  their  organization  before  being  fired  for  their  actions.  Non-PII  subjects  had  spent, 
on  average,  over  1 1  years  (1 1.2)  with  the  victim  organization. 

•  Level  of  Seniority — ^Finally,  we  examined  level  of  seniority.  As  shown  in  Figure  12,  PII  cases 
involved  both  managers  and  non-managers,  but  the  number  of  non-managers  involved  with 
trafficking  PII  was  more  than  twice  the  number  of  managers. 

Taken  together,  these  variables  paint  a  fairly  consistent  picture  of  insiders  committing  crimes  in¬ 
volving  PII — such  crimes  tend  to  be  committed  by  younger,  less  experienced  non-managers.  The 
crimes  involving  PII  were  also  caught  more  quickly  than  non-PII  crimes  and,  on  average,  resulted 
in  less  damage.  However,  some  PII  crimes  caused  damages  as  large  as  non-PII  crimes,  so  the  po¬ 
tential  financial  impact  of  these  crimes  should  not  be  ignored. 


Table  2:  Comparison  of  Crimes  by  Their  Involvement  of  PII 


Crimes  Involving  PII 

Crimes  Not  Involving  PII 

Age 

32  years 

40  years 

Tenure 

7.5  years 

1 1 .2  years 

Position  of  Seniority 
(unknowns  excluded  from 
calculated  percentages) 

Managers — 22% 

Non-managers — 48% 

External  Parties — 30% 

Managers — 53% 

Non-managers — 44% 

External  Parties — 2% 

Subjects'  Level  of  Seniority  by  Cases 
Involving  PII 


Management 


Non-Management 


External 


Unknown 


■  Non-PII 

■  PII 


Number  of  cases 


Figure  12:  Level  of  Seniority  in  Cases  Involving  PII 
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Case  Example  #8 

The  insider  and  his  accomplices  were  customer  service  employees  at  a  financial  institution’s 
call  center.  These  employees  had  access  to  customer  information,  which  included  PIT  While 
accessing  customer  accounts  during  the  normal  course  of  business,  the  insider  and  his  ac¬ 
complices  printed  screen  captures  of  customer  records  and  gave  them  to  an  outsider  to  make 
fraudulent  purchases.  Sometimes  the  insiders  modified  customer  records  to  have  a  credit 
card  sent  to  an  address  to  which  they  had  access,  and  they  would  use  these  newly  issued 
cards  to  make  fraudulent  purchases.  One  insider  even  purchased  a  wedding  dress  with  a 
fraudulent  card.  The  organization’s  total  losses  exceeded  $2.2  million. 


3.7.2  Conclusions  /  Recommendations 

In  every  case  involving  PII,  the  insiders  had  to  export  the  data  to  a  format  that  was  acceptable  to 
those  who  ultimately  consumed  the  PII.  Some  insiders  used  creative  methods  of  exfiltration  to 
avoid  detection.  In  several  cases,  audits  of  the  subject’s  information  system  usage  revealed  that 
the  subject  had  violated  policy,  though  it  was  not  clear  if  the  audit  was  random  or  not. 

Financial  institutions  must  consider  more  tightly  restricting  what  customer  PII  and  account  cre¬ 
dentials  their  employees  can  access,  print,  or  save  electronically.  Though  employees  require  some 
base  level  of  access  to  do  their  jobs,  granting  them  unfettered  access  can  lead  to  costly  infor¬ 
mation  exposure  that  could  entail  fines  and  litigation.  Financial  institutions  must  place  strong  re¬ 
strictions  on  employees’  access  to  customer  PII  and  account  credentials  that,  at  the  very  least, 
meet  their  regulatory  requirements.  If  they  do  not  already,  they  may  also  want  to  consider  regular¬ 
ly  auditing  the  use  of  information  systems  that  process  customer  PII  and  account  credentials. 

Whenever  fraudulent  insider  activity  is  detected,  whether  or  not  such  activity  involves  PII,  organ¬ 
izations  should  perform  analyses  to  determine  how  to  prevent  or  detect  similar  fraud  in  the  future. 
Organizations  should  evaluate  the  fraud  and  ask  the  following  questions: 

•  What  business  processes  need  to  change? 

•  What  new  controls  could  be  implemented  to  prevent  similar  activity  in  the  future? 

•  What  automated  scripts  are  available  that  might  detect  similar  activity? 

Organizations  should  then  take  the  necessary  steps,  such  as  creating  and  running  fraud-detection 
scripts,  to  help  identify  similar  or  ongoing  fraud  activity. 
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4  Fraud  Dynamics 


To  complement  the  previous  section’s  characterization  of  insider  fraud,  this  section  describes 
prominent  patterns  in  the  dynamic  behavior  of  fraud  over  time.  We  take  a  step  back  from  the  de¬ 
tails  of  the  individual  findings  and  paint  a  larger  picture  of  the  crime.  Not  all  aspects  of  the  fraud 
model  developed  have  detailed  case  frequencies  associated  with  them.  There  were  gaps  in  the  data 
that  would  not  allow  a  coherent  behavior-over-time  model  to  be  developed  if  we  required  hard 
numbers  for  all  aspects.  Nevertheless,  the  model  does  represent  many  aspects  of  the  cases  we  re¬ 
viewed  quite  well.  The  model  embodies  a  set  of  hypotheses  about  fraud  in  the  banking  and  fi¬ 
nance  sector  that  can  be  tested  in  future  research. 

While  analyzing  insider  fraud  cases,  we  discovered  two  dominant  scenarios:  the  Manager  Scenar¬ 
io  (32  cases)  and  the  Non-Manager  Employee  Scenario  (30  cases).  In  the  Manager  Scenario,  the 
perpetrators  of  fraud  are  typically  branch  managers  or  vice  presidents  who  realize  they  are  able  to 
alter  business  processes,  including  influencing  subordinate  employees,  in  a  way  that  suits  their 
desire  to  profit  financially.  In  the  Non-Manager  Employee  Scenario,  the  perpetrators  are  often 
customer  service  representatives  who  alter  accounts  or  steal  customer  accounts  or  other  personally 
identifiable  information  (PII)  to  defraud  the  victim  organization  for  money.  These  scenarios  share 
many  patterns,  but  they  each  have  key  distinguishing  characteristics. 

As  was  mentioned  in  Section  2,  we  used  a  technique  called  system  dynamics,  which  is  a  method 
for  modeling  and  analyzing  the  holistic  nature  of  complex  problems  as  they  evolve  over  time 
[Sterman  2000].  This  section  provides  an  overview  of  the  approach  and  its  notation,  describes  the 
Fraud  Triangle  as  a  starting  point  for  organizing  the  model,  and  presents  system  dynamics  models 
for  the  two  fraud  scenarios. 

4.1  System  Dynamics 

A  powerful  tenet  of  system  dynamics  is  that  the  underlying  feedback  structure  of  problematic  be¬ 
havior  captures  the  behavior’s  dynamic  complexity.  System  dynamics  models  consist  of  variables 
connected  by  causal  relationships.  Every  relationship  represents  either  a  positive  or  negative  in¬ 
fluence  of  one  variable  on  another.  A  positive  influence  (shown  as  a  solid  arrow  between  two  var¬ 
iables)  indicates  that  the  values  of  the  variables  move  in  the  same  direction,  and  a  negative  influ¬ 
ence  (shown  as  a  dotted  arrow  between  two  variables)  indicates  that  they  move  in  opposite 
directions.  A  relationship’s  polarity  assumes  that  all  other  variables  in  the  model  remain  constant. 

A  connected  group  of  variables  can  create  two  types  of  feedback  loops: 

•  Balancing  loops,  indicated  by  the  label  B  and  a  number  within  the  loop  symbol,  describe 
system  behaviors  that  oppose  change  and  tend  to  drive  variables  to  some  goal  state.  Balanc¬ 
ing  loops  often  represent  actions  that  an  organization  takes  to  mitigate  a  problem. 

•  Reinforcing  loops,  indicated  by  the  label  R  and  a  number  within  the  loop  symbol,  describe 
system  behaviors  that  tend  to  drive  variable  values  consistently  upward  or  downward.  Rein- 


CMU/SEI-2012-SR-004  |  32 


forcing  loops  often  represent  the  escalation  of  problems  but  may  include  problem-mitigation 
behaviors. 

Within  a  model,  a  loop  symbol  containing  an  italicized  loop  name  indicates  a  significant  feedback 
loop.  The  number  of  negative  influences  along  the  path  of  the  loop  determines  the  loop’s  type:  an 
odd  number  of  negative  influences  indicates  a  balancing  loop,  and  an  even  (or  zero)  number  of 
negative  influences  indicates  a  reinforcing  loop. 

Figure  13  summarizes  the  notation  used  in  this  report.  Our  modeling  is  restricted  to  a  portion  of 
the  notation  that  does  not  involve  simulation.  Models  using  this  notation  are  often  referred  to  as 
qualitative  system  dynamics  models  or  causal  loop  diagrams. 


Varl 

Variable  -  anything  of  interest  in  the  problem 
being  modeled 

Varl  - Var2 

Positive  Influence  (solid  arrow)  -  values  of 
variables  move  in  the  same  direction  (e.g., 
source  increases,  target  increases) 

Varl - >  Var2 

Negative  Influence  (dotted  arrow)  -  values  of 
variables  move  in  the  opposite  direction  (e.g., 
source  increases,  the  target  decreases 

■  ^  Loop 

\  B#  I  Characterization 

Balancing  Loop  -  a  feedback  loop  that  moves 
variable  values  to  a  goal  state;  color  loop 
identifies  circular  influence  path 

1  ^  Loop 

\  R#  I  Characterization 

Reinforcing  Loop  -  a  feedback  loop  that 
moves  variable  values  consistently  upward  or 
downward;  loop  color  identifies  circular 
influence  path 

Figure  13:  System  Dynamics  Notation 

4.2  Fraud  Triangle 

The  system  dynamics  model  we  developed  in  this  research  has  as  an  organizing  structure  similar 
to  the  Fraud  Triangle,  one  of  the  most  famous  fraud-specific  models,  developed  by  the  criminolo¬ 
gist  Donald  Cressey  in  the  early  1950s  [Cressey  1974].  We  summarize  the  Fraud  Triangle  in  this 
section. 

Cressey  interviewed  imprisoned  bank  embezzlers  and  observed  that  many  of  these  formerly  law- 
abiding  citizens  had  a  “non-sharable  financial  problem”  [Cressey  1974].  This  observation  led  him 
to  develop  the  Fraud  Triangle,  depicted  in  Figure  14. 
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Cressey’s  theory  holds  that  for  fraud  to  occur,  three  dimensions  must  all  be  present:  pressure,  op¬ 
portunity,  and  rationalization. 

•  Pressure  is  what  causes  a  person  to  commit  fraud.  It  often  stems  from  a  significant  financial 
need  or  problem.  This  problem  or  need  can  arise  due  to  external  pressures,  such  as  medical 
bills,  addiction  problems,  or  even  just  expensive  taste.  While  some  fraud  is  committed  purely 
out  of  greed,  Cressey  observed  that  perpetrators  often  need  to  resolve  their  problem  in  secret, 
making  it  “non-sharable.” 

•  Opportunity  is  the  ability  to  commit  fraud.  It  may  be  the  result  of  weak  internal  controls  or 
poor  management  oversight.  Organizations  have  more  control  over  the  opportunity  dimen¬ 
sion  than  the  other  two  dimensions.  Organizations  can  build  processes,  procedures,  and  con¬ 
trols  that  inhibit  or  deter  an  employees’  ability  to  commit  fraud  and  then  effectively  detect  it 
when  it  occurs. 

•  Rationalization  is  a  perpetrator’s  process  of  overcoming  any  personal  or  ethical  hesitations 
to  commit  the  fraud.  It  involves  reconciling  the  bad  behavior  with  commonly  accepted  no¬ 
tions  of  decency  or  trust.  Rationalizing  individuals  may  believe  that,  due  to  perceived  mis¬ 
treatment,  the  organization  owes  them  something  or  that  committing  the  fraud  is  the  only 
way  to  save  their  family  from  devastation.  Rationalization  may  incorporate  beliefs  that  the 
fraudster  is  merely  borrowing  money  until  he  or  she  can  repay  it.  At  the  other  end  of  the 
spectrum,  rationalization  incorporates  misunderstanding  of  the  severity  of  the  fraudulent  acts 
or  apathy  about  their  consequences. 


What  causes  a  person  to  commit  fraud.  Examples:  medical  bills, 
expensive  tastes,  addiction  problems  ... 


Pressure 

(incentive) 


Ability  to  commit  fraud. 

Created  through  weak  internal 
controls,  poor  management 
oversight,  use  of  one’s  position 
and  authority  ... 


Personal  reconciliation  of 
behaviorwith  accepted  notions  of 
decency  and  trust.  Examples: 
sacrifice  for  loved  one,  only 
borrowing,  it  is  owed,  does  not 
care ... 


Figure  14:  Fraud  Triangle 
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The  Fraud  Triangle  has  gained  widespread  support,  most  prominently  from  the  document  titled 
“Consideration  of  Fraud  in  Financial  Statement  Fraud,”  published  by  the  American  Institute  for 
Certified  Public  Accountants  (AICPA)  [AICPA  2002].  Multiple  studies  have  shown  the  value  of 
considering  the  Fraud  Triangle’s  dimensions  when  conducting  organizational  audits  [Wilks  2002, 
2004,  Favere-Marchesi  2009].  Other  authors  have  suggested  that  the  Fraud  Triangle  is  more  ap¬ 
propriate  for  employee  asset  misappropriations  than  it  is  for  “‘major’  (million-dollar-plus)  man¬ 
agement  fraud,  particularly  the  corruption  schemes”  [O’Gara  2004].  Nevertheless,  we  find  it  use¬ 
ful  as  a  basis  for  modeling  the  primary  patterns  of  insider  fraud. 

4.3  Manager  Model 

Figure  15  shows  the  system  dynamics  model  of  manager  fraud.  The  red  variables  in  the  upper 
middle  portion  of  the  model  represent  the  vertices  of  the  Fraud  Triangle.  As  shown,  the  insider’s 
incentive,  opportunity,  and  rationalization  all  contribute  to  the  insider’s  fraud-related  activities. 
The  insider’s  incentive  and  opportunity  are  incorporated  in  major  feedback  loops  within  the  mod¬ 
el  and  will  be  described  in  the  next  sections.  The  limited  information  on  rationalization  suggests 
that  some  insiders  rationalized  that  their  actions  were  only  temporary  and  that  they  would  eventu¬ 
ally  make  things  right.  Another  common  feeling  was  that  the  insider  was  at  a  turning  point  in  his 
or  her  life  and  had  no  option  but  to  commit  the  crime. 
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having  "no  other  will  "make  things 


Figure  1 5:  Manager  Model 
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The  model  includes  the  following  significant  feedback  loops: 

•  Resolving  Problems  (loop  Bl,  in  black)  and  Growth  of  Need  (loop  Rl,  in  green):  The  insid¬ 
er’s  primary  motivation  was  financial  gain  to  resolve  a  variety  of  personal  problems.  Howev¬ 
er,  even  if  the  insider’s  personal  problems  are  resolved,  the  crime  typically  does  not  end. 

Fraud  crimes  are  typically  longer  in  duration  than  other  types  of  insider  crimes.  The  case  data 
indicate  that  the  average  manager  fraud  spanned  33  months.  Even  if  the  fraud  resolves  the  in¬ 
sider’s  original  problems,  the  additional  income  is  too  great  to  resist  and  the  fraud  takes  on  a 
life  of  its  own. 

•  Escalating  Cover-Up  (loop  R2,  in  purple)  and  Flying  Below  the  Radar  (loop  B2,  in  light 
blue):  The  victim  organization  may  observe  the  insider’s  fraud  activities  if  it  looks  in  the  right 
places.  An  insider’s  unexplained  financial  gain  is  a  red  flag.  But  insiders’  online  or  social  at¬ 
tempts  to  conceal  their  actions  can  provide  the  victim  organization  with  further  observables  of 
an  escalating  cover-up.  There  is  evidence  in  manager  fraud  cases  that  insiders  were  able  to 
reduce  the  observables  of  their  crime,  and  thus  conceal  their  activities,  by  keeping  the  victim 
organization’s  per-month  fraud  losses  low.  While  “flying  below  the  radar”  resulted  in  slower 
losses,  the  longer  duration  of  these  crimes  led  to  greater  losses  by  the  victim  organization. 

•  Deterrence  Effect  of  Fraud  Detection  (loop  B3,  in  brown):  Observables  provide  an  opportuni¬ 
ty  for  a  victim  organization  to  detect  insider  fraud.  Many  cases  involved  managers  socially 
engineering  their  subordinates  to  conduct  activities  that  may  have  appeared  to  be  legitimate 
but  in  fact  contributed  to  the  fraud.  Irregularities  in  such  requests  could  have  raised  the  subor¬ 
dinates’  suspicions.  An  anonymous  reporting  vehicle  may  have  been  all  that  was  necessary  to 
alert  the  victim  organization  to  the  fraudulent  activities.  Fraud-detection  controls  can  increase 
an  organization’s  knowledge  of  fraud  and  the  chances  of  catching  the  fraudster.  The  greater 
strength  the  insider  perceives  in  the  controls,  the  greater  risk  the  insider  will  perceive  in  per¬ 
petrating  the  fraud,  which  may  be  enough  to  deter  the  fraud  altogether.  Deterrence  also  de¬ 
pends  on  the  insider’s  perceived  loss  if  caught. 

•  Trust  through  Tenure  (loop  R3,  in  aqua)  and  Insider  Trust  Trap  (loop  R4,  in  dark  blue):  Man¬ 
agers  committing  fraud  often  had  a  significant  period  of  loyal  service  to  the  victim  organiza¬ 
tion  prior  to  the  crime.  During  this  time,  the  managers  gained  prominence  and  a  commensu¬ 
rate  level  of  trust  by  others  in  the  victim  organization.  Excessive  trust  can  lead  the  victim 
organization  (possibly  inadvertently)  to 

disable  fraud-detection  controls,  leading  to  reduced  knowledge  of  fraud  activities  and 
even  more  trust  in  the  insider  (the  Insider  Trust  Trap) 

disable  fraud-prevention  controls,  creating  the  opportunity  to  commit  the  fraud 
increase  the  privilege  given  to  the  insider,  giving  him  or  her  knowledge  of  potential 
weaknesses  in  the  victim  organization’s  fraud-control  system 

lead  co-workers,  especially  subordinates,  to  ignore  or  fail  to  report  behaviors  considered 
policy  violations 

Trust  through  Tenure  and  the  Insider  Trust  Trap  can  reduce  an  organization’s  ability  to  pre¬ 
vent,  detect,  and  respond  to  fraud  activities. 
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4.4  Non-Manager  Model 


The  system  dynamics  model  of  the  non-manager,  shown  in  Figure  16,  shares  much  of  the  dynam¬ 
ics  exhibited  in  feedback  loops  B1  {Resolving  Problems,  in  black),  R1  {Growth  of  Need,  in  green), 
and  B3  {Deterrence  Effect  of  Fraud  Detection,  in  brown)  of  the  manager  model.  According  to  the 
case  data,  non-managers  were  sometimes  motivated  to  commit  fraud  by  a  need  to  help  family  or 
friends  financially.  Co-workers  collaborating  on  joint  tasks  with  the  non-manager  insiders,  or 
simply  working  in  close  proximity,  may  suspect  the  insider  of  committing  fraud.  This  contrasts 
with  suspicions  of  managers,  which  are  less  likely  to  be  raised  by  subordinates  the  insider  has 
socially  engineered  to  engage  in  activities  that  seem  irregular. 

The  Deterrence  Effect  on  Fraud  Detection  (loop  B3,  in  brown)  has  two  paths,  one  indicating  or¬ 
ganizational  knowledge  that  comes  from  outsider  facilitation  of  the  fraud  (e.g.,  through  the  dis¬ 
covery  that  employees  have  had  their  identities  stolen)  and  one  indicating  knowledge  coming  di¬ 
rectly  from  insider  activities).  The  potential  for  detecting  suspicious  or  malicious  insider  activities 
generally  allows  earlier  detection  of  criminal  activities  than  detecting  outsider  facilitation  of  the 
fraud,  since  outsider  facilitation  usually  exhibits  itself  as  identity  crimes  perpetrated  using  insider 
information.  While  organizations  would  like  to  prevent  crimes  before  they  happen,  monitoring  for 
the  illicit  use  of  the  organization’s  information  externally  can  limit  damage  if  internal  detection  is 
insufficient  to  prevent  it. 

Additional  aspects  of  the  model  include  the  Growth  of  the  Fraud  Business  (loop  R5,  in  navy  blue) 
and  the  Growing  Pressure  from  Outsiders  (loop  R6,  in  aqua).  Outsiders’  financial  benefit  from 
insider  fraud  encourages  the  outsiders  to  continue  and  perhaps  increase  their  facilitation  of  the 
fraud  activities.  This  increases  the  incentive  for  insiders  to  continue  and  perhaps  grow  their  insid¬ 
er  fraud  activities.  Further,  when  outsiders  know  the  details  of  insider  activities,  the  insiders  may 
feel  pressured  to  continue  or  grow  their  fraud  activities  even  if  they  would  prefer  not  to.  Thus,  this 
dynamic  affects  not  only  the  insider’s  opportunity  but  their  incentive  as  well. 

Table  3  presents  the  primary  differences  between  manager  fraud  and  non-manager  fraud. 
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Table  3:  Comparison  of  Fraud  by  Managers  and  Non-Managers 


Attribute 

Manager  Fraud 

Non-Manager  Fraud 

Number  of  Cases 

31 

30 

Position  Held 

branch  manager,  vice  president 

helpdesk  employee, 
accountant,  bank  teller 

Median  Age 

38 

31 

Timeline 

extended  duration 

comparatively  short 

Origin  of  Trust 

period  of  loyal  service 

inherent  in  duties  and  position 

Possible  Source  of  Others’  Suspicions 

subordinate  social  engineering 

co-worker  proximity  to  fraud  acts 

Outsider  Facilitation 

nearly  nonexistent 

financial  source  from  perpetrated 
identity  crime 

Concealment 

flying  below  the  radar 

unsophisticated  deceptions 
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5  Strategies  for  Prevention,  Detection,  and  Response 


Because  the  majority  of  the  incidents  included  in  this  study  were  categorized  as  insider  fraud,  this 
section  focuses  primarily  on  summarizing  the  technical  and  non-technical  controls  that  may  be 
effective  in  preventing,  detecting,  and  responding  to  that  activity.  Organizations  should,  of  course, 
remain  concerned  about  IT  sabotage  and  theft  of  IP,  but  this  section  focuses  on  the  issues  identi¬ 
fied  in  Section  2  of  this  report.  The  CERT  report.  Common  Sense  Guide  to  the  Prevention  and 
Detection  of  Insider  Threats,  may  provide  useful  guidance  for  addressing  the  wide  range  of 
threats  posed  by  insiders  [Cappelli  2009].  Table  4  below  recaps  the  findings  outlined  in  Section 

2_io 

Preventive  controls  for  insider  fraud  should  be  designed  to  take  away  the  insider’s  opportunity  to 
commit  the  crime.  (For  more  information,  refer  to  Section  4.2,  Fraud  Triangle,  on  page  33.)  For 
example,  as  part  of  the  hiring  process,  in  an  attempt  to  reduce  the  number  of  high-risk  employees 
entering  the  organization,  an  organization’s  Human  Resource  (HR)  department  often  implements 
screening  and  identification  of  at-risk  employees;  this  screening  reduces  the  incidence  of  fraud. 
Individuals  that  have  a  criminal  history  of  fraud  may  be  more  likely  to  commit  fraud  against  their 
employer.  Individuals  with  chronic  financial  problems  may  also  be  more  at  risk,  as  was  evidenced 
in  a  number  of  incidents  included  in  this  study.  In  addition,  financial  problems  sometimes  arise 
years  after  an  employee  is  hired;  this  suggests  that  for  employees  in  positions  that  could  commit 
fraud,  financial  organizations  should  consider  repeating  financial  background  investigations  peri¬ 
odically — every  three  to  five  years. 

Since  fraud  crimes  often  involved  database  transactions,  either  viewing  or  modifying  data,  some 
level  of  role-based  access  control  or  multi-person  transaction  verification  may  help  to  prevent 
some  insider  fraud  crimes.  These  measures  will  make  it  more  difficult  to  perpetrate  the  crime  and 
may  deter  individuals  from  getting  involved,  or  at  least  may  make  them  think  twice  about  it. 

However,  as  evidenced  in  some  of  the  cases  in  this  study,  motivated  fraudsters  may  find  ways 
around  these  measures.  Cases  exist  in  which  insiders  recruited  others  inside  the  victim  organiza¬ 
tion  precisely  to  get  around  role-based  access  controls.  In  addition,  the  crimes  where  managers 
were  involved  in  the  fraud  scheme  may  have  continued  as  long  as  they  did  because  of  the  trust  the 
victim  organization  had  in  the  manager,  which  may  have  resulted  in  less  monitoring  of  their 
online  activity  or  auditing  of  their  financial  transactions.  Therefore,  for  most  organizations,  detec¬ 
tion  of  ongoing  fraud  activities  is  essential. 

The  fact  that  insider  fraud  crimes  are  often  long  and  ongoing  does  not  bode  well  for  the  victim 
organizations.  However,  it  does  afford  the  victim  organization  ample  opportunity  to  discover  the 
crime  and  possibly  curtail  the  activity  to  limit  damage.  The  goal  is  to  prevent  the  unauthorized 
activity;  but  if  that  is  not  possible,  then  the  organization  should  strive  to  detect  it  as  early  as  possi¬ 
ble  to  minimize  damage. 


Many  of  the  recommendations  in  this  section  are  adapted  from  the  book  titled  The  CERT  Guide  to  Insider 
Threats:  How  to  Prevent,  Detect,  and  Respond  to  Information  Technology  Crimes  [Cappelli  2012], 
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There  are  two  primary  means  for  detecting  insider  fraud.  The  first  is  external  discovery  of  the 
crime,  potentially  as  a  result  of  investigation  into  financial  losses  incurred  by  customers  of  the 
financial  institution  or  noticed  by  law  enforcement  as  it  related  to  another  criminal  matter.  In 
some  of  the  incidents  in  this  study,  the  actual  fraud  crime  is  conducted  by  an  outsider  to  the  victim 
organization,  so  they  have  a  very  limited  ability  to  monitor  and  detect  the  crime.  The  second  is  the 
discovery  of  the  internal  crime  (i.e.,  discovery  of  the  malicious  actions  of  the  insider  or  accom¬ 
plice).  In  these  situations,  the  victim  organization  typically  has  an  opportunity  to  detect  the  illicit 
insider  activity  at  any  point  from  planning,  to  insider  recruitment,  to  execution. 

Table  4:  Summary  of  Recommended  Controls 

Practice  Areas  to  Consider 


Finding  1:  Criminals  who  executed  a  “low  and  slow”  approach  accomplished  more  damage  and  escaped 


detection  for  longer. 

Considerations 

Justification  from  Cases  Studied 

1 .  Consider  fraud  levels  and  durations  when 
setting  audit  and  investigation  thresholds. 

The  nature  of  the  fraud  levels  and  durations  provide  a  potential 
benchmark  timeline  to  members  of  the  financial  services 
community. 

2.  Consider  policies  and  practices  regarding  the 
timing  of  employee  assistance. 

Employee  assistance  offered  when  employees  are  facing 
difficult  times  may  help  resolve  the  employee’s  issues  or 
otherwise  deter  an  employee  from  engaging  in  illegal  acts. 

Finding  2:  Insiders  did  not  generally  have  technical  responsibilities. 


Considerations 

Justification  from  Cases  Studied 

1 .  Consider  good  security  principles  regarding 
access  control,  least  privilege,  and  separation 
of  duties  when  developing  policies  and 
controls. 

Restricting  the  level  of  employee  access  to  that  necessary  to 
perform  job  duties  may  have  limited  or  prevented  the  damage 
incurred  in  several  of  the  cases. 

2.  Consider  all  employees,  regardless  of  their 
technical  expertise,  when  defining  security 
practices  and  controls. 

Ill-intentioned  employees  will  leverage  the  most  easily 
exploitable  vulnerabilities  first,  and  often;  such  vulnerabilities 
are  within  the  reach  of  most  non-technical  personnel. 

Finding  3:  Fraud  by  managers  differs  substantially  from  fraud  by  non-managers  by  damage  and  duration. 


Considerations 

Justification  from  Cases  Studied 

1. 

Consider  auditing  activities  of  accountants 
and  managers  on  a  more  detailed  level  or  a 
more  frequent  basis  than  other  employees. 

Accountants  and  managers  cause  the  most  damage  from 
insider  fraud  and  evade  detection  for  the  longest  amount  of 
time. 

2. 

Consider  the  enforceability  of  organizational 
policies;  clearly  communicate  policies  to  all 
employees. 

Non-managers  may  be  reluctant  to  report  when  their 
supervisors  violate  rules,  especially  in  regard  to  exceptions  to 
the  usual  process  that  seem  innocent. 

3. 

Consider  restricting  the  ability  of  employees  to 
perform  actions  on  their  own,  or  a  family 
member’s,  account. 

Several  cases  involved  the  use  of  an  insider’s  account,  or  that 
of  a  family  member,  in  the  perpetration  of  fraud. 

4. 

Consider  the  need  for  access  provided  to 
those  in  senior  or  supervisory  positions. 

Privileges  often  accumulate  over  years  of  employment  without 
employee  access  being  closely  examined  by  the  victim 
organization. 
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Table  4: 


Summary  of  Recommended  Controls  (continued) 


Finding  4:  Most  cases  do  not  involve  collusion,  but  external  collusion  is  much  more  common  than  internal 
collusion. 

Considerations 

Justification  from  Cases  Studied 

1 .  Consider  alerting  employees  to  watch  out  for 
external  parties  who  might  want  access  to  PH; 
educate  employees  on  the  penalties  involved 
with  illicit  use  of  that  information. 

External  parties  were  often  involved  as  a  conduit  to  sell  stolen 

PH  or  pose  as  a  legitimate  account  holder. 

Finding  5:  Most  incidents  were  detected  through  an  audit,  customer  complaints,  or  co-worker  suspicions. 


Considerations 

Justification  from  Cases  Studied 

1.  Consider  instituting  an  open  and  anonymous 
communication  channel  for  employees  to  use 
if  they  have  reason  to  suspect  their  co¬ 
workers  of  engaging  in  fraud. 

Co-workers  were  unwittingly  involved  in  activity  related  to  the 
fraud.  Co-worker  suspicions,  if  reported,  may  have  allowed  the 
fraud  to  be  detected  earlier. 

2.  Consider  increasing  the  frequency  of  audits 
conducted  in  an  impromptu  fashion. 

While  audits  were  often  useful  to  detect  fraudulent  activity, 
greater  frequency  may  have  permitted  earlier  detection. 

Finding  6:  Personally  identifiable  information  (PM)  is  a  prominent  target  of  those  committing  fraud. 


Considerations 

Justification  from  Cases  Studied 

1. 

Consider  access  restrictions  on  workstations 
that  process  PH. 

Theft  of  PH  often  involved  low-tech  methods  such  as  simple 
printing,  screen  captures,  cutting  and  pasting  into  text  files,  or 
even  copying  PH  to  paper  or  reciting  it  over  the  phone. 

2. 

Consider  increasing  the  frequency  of  audits 
conducted  on  information  systems  that 
process  customer  PH. 

While  audits  were  often  useful  to  detect  fraudulent  activity, 
greater  frequency  may  have  permitted  earlier  detection. 

3. 

Consider  performing  analyses  of  fraud 
incidents  to  determine  how  to  prevent  or 
detect  similar  fraud  crimes  in  the  future. 

Gaps  in  an  organization’s  fraud  prevention  and  detection 
measures  are  apparent  from  the  methods  used  by  fraud 
perpetrators. 

5.1  Behavioral  and  Business  Process  Recommendations 

The  following  behavioral  and/or  business  process  recommendations  are  provided  in  response  to 
the  six  findings  described  in  Table  4.  These  recommendations  are  intended  to  be  implemented  in 
conjunction  with  other  organization  controls  targeted  at  preventing,  detecting,  or  responding  to 
malicious  insider  activity.  Be  sure  to  consult  with  legal  counsel  prior  to  implementing  any  rec¬ 
ommendations  to  ensure  compliance  with  federal,  state,  and  local  laws. 

Clearly  document  and  consistently  enforce  policies  and  controls. 

Clear  documentation  and  communication  of  technical  and  organizational  policies  and  controls 
could  have  mitigated  some  of  the  insider  incidents  of  fraud.  Consistent  policy  enforcement  is  im¬ 
portant;  inconsistent  policy  enforcement  may  lead  some  employees  to  feel  they  are  being  treated 
differently  than  other  employees  and  provide  a  potential  motivation  to  retaliate  against  this  per¬ 
ceived  unfairness.  Some  insiders  in  this  study  were  able  to  commit  fraud  against  their  organiza¬ 
tion  due  to  inconsistent  or  unenforced  policies  and/or  inconsistent  monitoring  and  auditing  of 
transactions. 
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Institute  periodic  security  awareness  training  for  all  employees. 

A  culture  of  security  awareness  should  be  instilled  in  every  organization  so  that  all  employees 
understand  the  need  for  policies,  procedures,  and  technical  controls.  All  employees  must  be  made 
aware  that  security  policies  and  procedures  exist,  that  there  is  a  good  reason  why  they  exist,  that 
they  must  be  enforced,  and  that  there  can  be  serious  consequences  for  infractions.  Employees  also 
need  to  be  aware  that  individuals,  either  inside  or  outside  the  organization,  may  try  to  co-opt  them 
into  activities  that  are  counter  to  the  organization’s  mission,  including  committing  fraud.  Each 
employee  needs  to  understand  the  security  policies  and  the  process  for  reporting  policy  violations. 

5.2  Monitoring  and  Technicai  Recommendations 

The  following  monitoring  and  technical  recommendations  are  provided  in  response  to  the  six 
findings  described  in  Table  4.  These  recommendations  are  intended  to  be  implemented  in  con¬ 
junction  with  other  organization  controls  targeted  at  preventing,  detecting,  or  responding  to  mali¬ 
cious  insider  activity.  Be  sure  to  consult  with  legal  counsel  prior  to  implementing  any  controls  to 
ensure  compliance  with  federal,  state,  and  local  laws. 

Include  unexplained  financial  gain  in  any  periodic  reinvestigations  of  employees. 

Many  organizations  use  screening  mechanisms  in  their  hiring  process  to  determine  the  financial 
status  of  potential  employees.  This  helps  organizations  to  determine  the  trustworthiness  of  poten¬ 
tial  employees.  However,  few  organizations  do  this  on  a  regular  basis  after  an  employee  is  hired. 
If  possible,  organizations  should  institute  a  periodic  reinvestigation  process  for  employees  in  posi¬ 
tions  of  tmst.  Attempts  should  be  made  to  determine  whether  employees  are  under  significant 
financial  stress;  such  stress  may  make  them  more  likely  to  participate  in  fraud  or  make  them  sus¬ 
ceptible  to  recruitment  into  a  fraud  scheme.  In  addition  to  determining  negative  financial  stress¬ 
ors,  organizations  should  attempt  to  determine  unexplained  wealth  or  living  beyond  ones  means 
since  this  may  also  indicate  participation  in  a  fraud  scheme. 

Log,  monitor,  and  audit  employee  online  actions. 

If  account  and  password  policies  and  procedures  are  enforced,  online  actions  can  be  associated 
with  the  employee  who  performed  them.  Logging,  periodic  monitoring,  and  auditing  provide  an 
organization  the  opportunity  to  discover  and  investigate  suspicious  insider  actions  before  more 
serious  consequences  occur.  Organizations  can  use  data-leakage  tools  to  detect  unauthorized 
changes  to  the  system  and  the  downloading  of  confidential  or  sensitive  information,  such  as  IP, 
customer  or  client  data,  and  PIT 

Pay  special  attention  to  accountants  and  managers. 

Instituting  separation  of  duties  into  critical  business  processes  is  one  way  to  prevent  fraudulent 
transactions  from  occurring.  In  addition,  in  the  event  the  separation  of  duties  was  unsuccessful  at 
preventing  suspicious  events,  audit  programs  can  be  put  in  place  to  identify  such  transactions. 
However,  what  if  a  manager  or  someone  in  the  auditing  or  accounting  process  is  also  involved  in 
a  fraud  scheme?  Organizations  should  consider  implementing  processes  that  “check-the-checker,” 
allowing  an  objective  third  party  to  verify  the  transactions  of  managers  or  others  involved  in  a 
transaction’s  approval  process.  Finally,  the  auditing  function  in  many  organizations  has  become 
very  predictable  in  terms  of  schedule,  frequency,  and  what  is  audited.  Instituting  unpredictability 
into  the  auditing  function  may  be  a  deterrent  for  some  employees,  including  accountants,  auditors, 
and  managers,  or  others  in  positions  of  trust. 
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Restrict  access  to  PIL 

IT  groups  face  the  constant  struggle  of  least  privilege  when  managing  access  to  digital  assets. 
Many  organizations  struggle  with  identifying  the  organization’s  critical  assets,  determining  where 
they  are  located,  and  deciding  who  should  have  access  to  them.  All  too  often,  organizations  allow 
employees  to  accumulate  privileges  over  time — privileges  build  up  as  users  move  across  projects, 
between  departments,  or  take  new  positions.  To  the  best  extent  possible,  employee  privileges 
should  be  commensurate  with  the  employee’s  current  job  responsibilities — ^the  organization 
should  strive  to  ensure  that  employees  have  appropriate  privileges  to  do  their  job  duties,  but  not 
more  than  they  need.  Having  more  privileges  than  necessary  may  provide  an  avenue  for  an  em¬ 
ployee  to  harm  the  organization.  PII  should  always  be  treated  as  a  critical  asset.  Protection  strate¬ 
gies  should  be  put  in  place  to  protect  PII  from  unauthorized  access,  and  controls  should  alert 
proper  personnel  when  PII  is  accessed,  modified,  or  transmitted  within  the  organization  as  well  as 
outside  the  organization. 

Develop  an  insider  incident  response  plan. 

Organizations  should  develop  an  insider  incident  response  plan  to  control  the  damage  that  results 
from  malicious  insider  activity.  This  is  challenging  because  the  same  people  assigned  to  a  re¬ 
sponse  team  may  be  the  insiders  who  could  use  their  knowledge  of  controls  and  skills  against  the 
organization.  Only  those  responsible  for  carrying  out  the  plan  need  to  understand  and  be  trained 
on  its  execution.  Should  an  insider  be  suspected  of  committing  fraud,  it  is  important  that  the  or¬ 
ganization  have  evidence  in  hand  to  identify  the  insider  and  follow  up  appropriately.  Lessons 
learned  should  be  used  to  continually  improve  the  plan. 
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6  Conclusion  and  Next  Steps 


This  report  describes  six  findings  of  a  study  of  insider  fraud  in  the  U.S.  Financial  Services  Sector: 

•  FINDING  ONE:  Criminals  who  executed  a  “low  and  slow”  approach  accomplished  more 
damage  and  escaped  detection  for  longer. 

•  FINDING  TWO:  Insiders’  means  were  not  very  technically  sophisticated. 

•  FINDING  THREE:  Fraud  by  managers  differs  substantially  from  fraud  by  non-managers  by 
damage  and  duration. 

•  FINDING  FOUR:  Most  cases  do  not  involve  collusion. 

•  FINDING  FIVE:  Most  incidents  were  detected  through  an  audit,  customer  complaints,  or  co¬ 
worker  suspicions. 

•  FINDING  SIX — Personally  identifiable  information  (PII)  is  a  prominent  target  of  those 
committing  fraud. 

The  description  of  each  finding  includes  frequency  sfatistics  on  important  aspects  of  the  finding, 
case  examples  illustrating  the  finding,  and  preliminary  recommendations.  The  recommendations 
discussed  are  fairly  general  in  nature,  but  are  the  start  of  what  we  hope  will  be  a  fruitful  discus¬ 
sion  with  organizations  to  elaborate  what  members  of  the  financial  services  community  should  do 
in  the  face  of  these  findings. 

6.1  Considerations  for  Insider  Threat  Program  Implementation 

In  their  enterprise -wide  risk  assessments,  organizations  should  consider  the  threat  posed  by  insid¬ 
ers  to  the  organization’s  critical  assets,  people,  technology,  information,  and  facilities.  The  first 
step  is  to  identify  and  prioritize  assets,  followed  immediately  by  locating  the  critical  assets  and 
determining  who  has,  or  should  have,  authorized  access.  Many  organizations  fail  during  this  step 
when  they  allow  authorized  access  to  extend  beyond  what  is  required  for  employees  to  fulfill  their 
job  responsibilities.  Privileges  tend  to  accumulate  over  time  as  employees  migrate  among  depart¬ 
ments  and  accept  new  job  responsibilities.  It  is  imperative  that 

•  employees  have  only  the  appropriate  privileges  with  critical  assets 

•  employee  privileges  are  known  by  the  organization 

•  the  organization  can  modify  or  disable  access  if  an  employee  changes  roles,  responsibilities, 
or  employment  status 

If  an  organization  asks  what  an  employee  has  access  to  or  where  critical  assets  exist  when  an  em¬ 
ployee  is  walking  out  the  door,  it  is  too  late.  Diligent  access  control  to  critical  assets  is  essential 
and  organizations  should  not  allow  this  control  to  degrade  over  time;  recovery  from  lapses  in  con¬ 
trol  can  be  time  consuming. 

Most  organizations  begin  assessing  an  employee  or  contractor’s  frustworthiness  as  part  of  the  hir¬ 
ing  process.  Background  checks,  employment  and  personal  references  checks,  and  individual 
screenings  are  valuable;  however,  organizations  should  continue  to  assess  trustworthiness  after 
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the  individual  is  hired.  Organizations  should  regularly  evaluate  employees  for  potential  motiva¬ 
tors  of  malicious  insider  activity,  including  detecting  the  presence  of  financial  and  professional 
stressors  and  employee  disgruntlement.  Individuals  showing  such  signs  are  at  greater  risk  for 
committing  a  malicious  act.  Additionally,  organizations  should  similarly  scrutinize  their  contrac¬ 
tors,  subcontractors,  suppliers,  and  other  tmsted  business  partners. 

Finally,  separation  of  duties  is  an  effective  way  to  prevent  unauthorized  transactions  in  financial 
systems.  Organizations  should  extend  the  “separation  of  duties”  model  from  their  business  pro¬ 
cess  to  their  IT  processes.  There  should  not  be  a  single  point  of  failure  in  any  IT  operation.  Also, 
when  possible,  more  than  one  person  should  be  required  to  complete  critical  IT  functions,  includ¬ 
ing  creating  and  deactivating  accounts  and  modifying  privileges.  Consistent  enforcement  of  such 
monitoring  and  auditing  strategies  in  critical  business  processes  may  help  to  prevent  or  detect  ma¬ 
licious  insider  activity.  Recall  that  approximately  50  percent  of  the  fraud  crimes  included  in  this 
study  was  committed  by  someone  in  a  management-related  position;  therefore,  someone  outside 
an  employee’s  management  chain  should  audit  such  transactions.  Organizations  should  implement 
the  same  type  of  consistent  auditing  in  IT  processes. 

6.2  Identify  Technical  Gaps 

Most  organizations  face  the  challenge  of  differentiating  anomalous  and  normal  network  activity. 
Many  IT  tools  exist  to  meet  this  challenge,  but  it  takes  significant  effort  to  customize  these  tools 
to  a  specific  organization’s  business  processes.  In  addition,  organizations  often  struggle  to  deter¬ 
mine  and  maintain  baseline  behavior  at  the  individual  level  and  scale  it  across  the  enterprise.  It  is 
time  consuming  to  achieve  a  degree  of  confidence  in  distinguishing  normal  variations  in  baseline 
behavior  from  abnormal  variations. 

Relying  on  technical  controls  alone  to  differentiate  anomalous  but  acceptable  behavior  from  mali¬ 
cious  behavior  may  not  be  the  most  effective  way  to  address  the  threat  posed  by  insiders.  Organi¬ 
zations  should  consider  combining  the  results  of  IT  log  aggregation  and  analysis  tools  with  non¬ 
technical  indicators  that  may  be  derived  from  internal  and  external  data  sources  such  as  those 
listed  below: 

•  results  of  employee  and  contractor  performance  management  processes 

•  employee  dispute  resolution  processes 

•  employee  assistance  processes 

•  credit  rating  systems 

•  law  enforcement  and  criminal  history  databases 

•  facility-tracking  systems 

Such  tools  may  help  organizations  to  identify  1)  individuals  who  are  susceptible  to  recruitment 
into  a  fraud  scheme  and  2)  disgruntled  employees  who  may  be  more  likely  to  sabotage  an  IT  sys¬ 
tem  or  steal  critical  data  when  they  leave. 

The  topic  of  employee  monitoring  draws  together  a  mixture  from  different  areas  of  the  law,  from 
labor  to  constitutional.  As  technology  continues  to  evolve,  legislators  and  the  judiciary  will  con¬ 
tinue  to  be  confronted  with  new  questions.  Employers  will  need  to  keep  a  watchful  eye  on  this 
process  to  avoid  violating  internal  policy,  regulatory  requirements,  or  legal  statutes.  Collaboration 
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among  staff,  including  legal  staff,  will  widen  your  knowledge  base  and  lead  to  a  more  informed 
set  of  policies  and  processes. " 

6.3  Conclusion 

As  long  as  there  are  institutions  that  hold  money,  internal  and  external  adversaries  will  make  eve¬ 
ry  attempt  to  subvert  control  mechanisms  to  illegally  profit.  To  defeat  those  who  are  defrauding 
financial  services  companies,  security  professionals  in  this  sector  must  master  both  the  technical 
and  behavioral  aspects  of  the  problem  as  well  as  ensure  compliance  with  external  regulators  and 
internal  governance  initiatives,  all  while  protecting  their  organizations’  profits,  shareholders,  and 
customers.  This  report  will  not  solve  the  problem  entirely  or  give  the  financial  sector  a  set  of  pro¬ 
cedures  guaranteed  to  prevent  employees  from  conducting  illegal  activities.  Rather,  it  paints  a 
relatively  complete  picture  of  80  recent  cases  of  insider  fraud  and  provides  important  insights  into 
those  cases. 

The  insider  fraud  models  presented  in  this  report  round  out  the  CERT  series  of  insider  threat 
models.  Security  professionals  have  used  our  previous  models  to  establish  countermeasures  in 
dealing  with  insider  IT  sabotage,  insider  theft  of  IP,  and  national  security  espionage.  We  hope  that 
these  previous  models  and  this  new  insider  fraud  model  have  a  similar  impact  on  the  financial 
sector.  Certainly  the  study  of  future  cases  may  yield  different  insights,  but  we  have  found  that  our 
past  models  have  stood  the  test  of  time.  Although  we  published  our  other  insider  threat  models 
quite  some  time  ago  (beginning  in  2005),  we  have  discovered  that  in  the  interim  the  overarching 
patterns  in  the  cases  have  not  changed. 

We  also  hope  this  report  will  encourage  the  continued  dialog  between  public,  private,  and  re¬ 
search  entities.  Conversations  about  these  findings  will  help  us  to  learn  even  more  and  supplement 
the  community’s  collective  knowledge.  The  CERT  Insider  Threat  Center  has  been  conducting 
research  into  the  problem  of  malicious  insiders  for  more  than  a  decade.  In  that  time,  we  have  seen 
progress  in  some  areas  of  the  problem;  we  have  also  seen  other  issues  repeatedly  resurface.  Per¬ 
haps  the  most  important  message  we  can  convey  to  those  who  are  unfamiliar  with  the  issue  is  that 
defeating  insider  threats  is  not  solely  the  problem  of  IT,  HR,  or  security — it’s  everyone’s  problem. 

6.4  Next  Steps 

Upon  publication  of  this  report,  the  USSS  and  the  CERT  Insider  Threat  Center  will  present  its 
findings  at  financial  service  sector  venues  as  well  as  at  Secret  Service  Electronic  Crime  Task 
Force  (ECTF)  chapter  meetings  across  the  country.  We  gladly  accept  comments  and  suggestions, 
which  we  may  incorporate  into  an  addendum  to  this  report.  We  welcome  ongoing  feedback  on 
any  practices  and  technical  solutions  that  members  of  the  financial  sector  have  implemented  to 
successfully  counter  insider  threats.  Finally,  we  will  attempt  to  answer  any  questions  not  covered 
in  this  report  by  querying  and  further  analyzing  our  database  of  insider  incidents.  Contact  us  at 
insider-threat-feedback@cert.org. 


”  CERT  Insider  Threat  Center  internal  publication. 
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Appendix  A:  The  Insider  Threat  Center  at  CERT 


The  text  in  this  section  was  excerpted  from  the  book  titled  The  CERT  Guide  to  Insider  Threats: 
How  to  Prevent,  Detect,  and  Respond  to  Information  Technology  Crimes  (Theft,  Sabotage,  Fraud) 
[Cappelli  2012], 


The  Software  Engineering  institute’s  CERT  Program 

The  CERT  Program  is  part  of  the  Software  Engineering  Institute  (SEI),  a  federally  funded  re¬ 
search  and  development  center  at  Carnegie  Mellon  University  in  Pittsburgh.  Following  the  Morris 
worm  incident,  which  brought  10  percent  of  internet  systems  to  a  halt  in  November  1988,  the  De¬ 
fense  Advanced  Research  Projects  Agency  (DARPA)  charged  the  SEI  with  setting  up  a  center  to 
coordinate  communication  among  experts  during  security  emergencies  and  to  help  prevent  future 
incidents.  This  center  was  named  the  CERT  Coordination  Center  (CERT/CC). 

While  CERT  continues  to  respond  to  major  security  incidents  and  analyze  product  vulnerabilities, 
the  role  has  expanded  over  the  years.  Along  with  the  rapid  increase  in  the  size  of  the  internet  and 
its  use  for  critical  functions,  there  have  been  progressive  changes  in  intrusion  techniques,  in¬ 
creased  amounts  of  damage,  increased  difficulty  of  detecting  an  attack,  and  increased  difficulty  of 
catching  the  attackers.  To  better  manage  these  changes,  the  CERT/CC  is  now  part  of  the  larger 
CERT  Program,  which  develops  and  promotes  the  use  of  appropriate  technology  and  systems 
management  practices  to  resist  attacks  on  networked  systems,  to  limit  damage,  and  to  ensure  con¬ 
tinuity  of  critical  services. 


The  CERT  Insider  Threat  Center 

The  CERT  Insider  Threat  Center,  part  of  the  CERT  Program,  began  research  in  2000  and  has  con¬ 
tinued  to  grow.  The  original  insider  threat  research  was  sponsored  by  the  U.S.  Department  of  De¬ 
fense  (DoD)  and  focused  on  insider  threats  in  the  military  services  and  defense  agencies.  The  re¬ 
search  ramped  up  in  2001,  when  the  Secret  Service  National  Threat  Assessment  Center  (NTAC) 
and  the  CERT  Insider  Threat  Center  joined  efforts  to  conduct  a  unique  study  of  insider  incidents. 
DHS  S&T  provided  financial  support  for  the  completion  of  the  study  in  2003  and  2004.  Four  re¬ 
ports  were  produced  as  a  result  of  that  effort  focusing  on  the  banking  and  finance  sector  [Randaz- 
zo  2004],  the  information  technology  sector  [Kowalski  2008a],  the  government  [Kowalski 
2008b],  and  the  analysis  of  insider  IT  sabotage  across  all  critical  infrastructure  sectors  [Keeney 
2005].  Since  2005,  DHS  Federal  Network  Security  (FNS)  has  provided  funding  to  allow  CERT  to 
continue  its  insider  threat  research. 

The  objective  of  the  CERT  Insider  Threat  Center  is  to  assist  organizations  in  preventing,  detect¬ 
ing,  and  responding  to  insider  compromises.  The  foundation  of  the  work  is  the  CERT  database  of 
more  than  700  insider  threat  cases.  System  dynamics  modeling  is  used  to  characterize  the  nature 
of  the  insider  threat  problem,  explore  dynamic  indicators  of  insider  threat  risk,  and  identify  and 
experiment  with  administrative  and  technical  controls  for  insider  threat  mitigation.  The  CERT 
insider  threat  lab  provides  a  foundation  to  identify,  tune,  and  package  technical  controls  as  an  ex- 
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tension  of  the  modeling  efforts.  In  addition  to  the  models,  the  team  has  developed  an  assessment 
framework,  based  on  fraud,  theft  of  intellectual  property,  and  IT  sabotage  case  data,  to  assist  or¬ 
ganizations  in  identifying  their  technical  and  non-technical  vulnerabilities  to  insider  threats,  as 
well  as  executable  countermeasures.  The  CERT  Insider  Threat  Center  is  uniquely  positioned  as  a 
busted  broker  to  assist  the  community  in  the  short  term,  and  through  ongoing  research. 


CMU/SEI-2012-SR-004  |  50 


Appendix  B:  The  Structure  of  the  CERT  Insider  Threat 
Database 


At  a  high  level,  the  CERT  insider  threat  database  involves  three  entities:  the  organization(s)  in¬ 
volved,  the  insider  (subject),  and  the  details  of  the  incident.  Figure  17  shows  the  primary  relation¬ 
ships  among  these  three  entities. 


Figure  17:  High-Level  Structure  of  the  CERT  Insider  Threat  Database 

Organization  Data 

Multiple  organizations  can  be  involved  in  a  single  incident.  An  organization  that  is  negatively 
impacted  by  an  incident  is  designated  as  a  victim  organization.  Incidents  may  also  involve  the 
victim  organization’s  tmsted  business  partner.  In  these  incidents,  the  malicious  insider  is  not  di¬ 
rectly  employed  by  the  victim  organization,  but  is  able  to  attack  the  victim  organization  via  access 
authorized  by  a  contractual  relationship  with  the  insider’s  employer. 

Incidents,  particularly  those  involving  theft  of  IP,  may  also  involve  a  beneficiary  organization — 
an  organization  that  knowingly  or  unknowingly  benefits  from  the  incident  to  the  detriment  of  the 
victim  organization.  When  entering  case  data  into  the  CERT  insider  threat  database,  we  identify 
the  organization  and  any  organizational  issues  relevant  to  the  case,  as  shown  in  Table  5.*^ 


The  tables  in  this  appendix  do  not  represent  the  CERT  insider  threat  database’s  data  dictionary.  They  merely 
provide  insight  into  the  type  of  information  collected  for  each  incident  and  a  few  sample  values  for  each  case. 
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Table  5:  Organization  Information  Collected 


Organization  Subcategory 

Information  Coliected  in  the  Database 

Organization  Descriptors 

name,  address,  relation  to  insider 

Organization  Type 

victim,  beneficiary,  trusted  business  partner,  other 

Organization  Description 

description  of  the  organization 

Industry  Sector 

critical  infrastructure  sector  of  the  organization 

Based  in  the  United  States? 

location  of  the  organization;  based  in  the  united  states? 

Organization  issues 

work  environment,  such  as  hostile  work  environment  or  culture  of  mistrust,  and 
layoffs,  mergers,  and  acquisitions,  reorganizations,  and  other  workplace  events 
that  may  have  contributed  to  an  insider’s  decision  to  act 

Opportunity  Provided 
to  Insider 

actions  taken  by  an  organization  that  may  have  contributed  to  the  insider’s  deci¬ 
sion  to  take  action  (such  as  demotions  or  transfers  of  employees);  failure  on  the 
part  of  the  organization  to  take  action  based  on  concerning  behaviors  or  other 
events,  actions,  or  conditions;  or  vulnerabilities,  for  example,  insufficient  monitor¬ 
ing  of  external  access 

Subject  Data 

We  collect  as  many  details  as  possible  about  the  insider,  including  details  regarding  planning  ac¬ 
tivities.  These  details  are  generally  discovered  after  an  incident  has  already  occurred,  but  they  are 
essential  to  preventing  future  insider  threats.  We  also  collect  information  about  the  insider’s  ac¬ 
complices,  including  demographic  data,  the  accomplice’s  relationship  to  the  insider  and  the  victim 
organization,  and  the  accomplice’s  role  in  the  incident. 

We  do  not  make  any  judgments  about  the  insider  or  attempt  to  diagnose  his  or  her  behavior;  we 
code  exactly  what  we  find  in  the  source  materials. 

Table  6  describes  the  subject  attributes  in  more  detail. 


Table  6:  Subject  Information  Collected 


Subject  Subcategory 

Information  Collected  in  the  Database 

Descriptors 

name,  gender,  age,  citizenship,  residence,  education,  employee  title/type/status, 
departure  date,  tenure,  access,  position 

Motives  and  Unmet 
Expectations 

motives  (financial,  curiosity,  ideology,  recognition,  external  benefit),  unmet  expectations 
(promotion,  workload,  financial,  usage) 

Concerning  Behaviors 

tardiness,  insubordination,  absences,  complaints,  drug/alcohol  abuse,  disgruntlement,  co¬ 
worker/supervisor  conflict,  violence,  harassment,  poor  performance,  poor  hygiene,  etc. 

Violation  History 

security  violations,  resource  misuse,  complaints,  deception  about  background 

Consequences 

reprimands,  transfers,  demotion,  HR  reports,  termination,  suspension,  access  revocation, 
counseling 

Substance  Abuse 

alcohol,  hallucinogens,  marijuana,  amphetamines,  cocaine,  sedatives,  heroin,  inhalants 

Planning  and 

Deception 

prior  planning  activities,  explicit  deceptions 
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Incident  Data 


The  information  we  collect  about  an  incident  includes  individual  actions  taken  to  set  up  the  attack, 
vulnerabilities  exploited  during  the  attack,  steps  taken  to  conceal  it,  the  way  the  incident  was  de¬ 
tected,  and  the  impact  on  the  victim  organization.  In  addition,  we  also  collect  data  on  the  victim 
organization’s  response  to  the  incident  and  events  and  conditions  that  may  have  contributed  to  an 
insider’s  decision  to  attack.  Table  7  describes  the  incident  attributes  in  more  detail. 


Table  7:  Incident  Information  Collected 


Incident  Subcategory 

Information  Collected  in  the  Database 

Case  Summary 

incident  dates,  duration,  prosecution 

Conspirators 

accomplices,  type  of  collusion,  relationships  to  insider 

Information  Sources 

origin  type 

Incident  Chronology 

sequence,  date,  place,  event 

Investigation  and  Capture 

how  the  insider  was  identified  and  caught 

Prosecution  Result 

indictment,  subject’s  story,  sentence,  case  outcome 

Recruitment 

outside/competitor  induced,  insider  collusion,  outsider  collusion,  acted  alone, 
reasons  for  collusion 

IT  Accounts  Used 

subject's,  organization’s,  system  administrator’s,  database  administrator’s, 
co-worker’s,  authorized  third  party’s,  shared,  back  door 

Outcome 

data  copied/deleted/read/modified/created/disclosed,  identity  theft,  creation  of 
unauthorized  document,  denial  of  service 

Impact 

description,  financial 

How  Detected 

software,  information  system,  audit,  non-technical,  system  failure 

Who  Detected 

self-reported,  it  staff,  other  internal;  customer,  law  enforcement,  competitor, 
other  external 

Log  Files  Used 

system  files,  email,  remote  access,  internet  service  provider 

Who  Responded 

incident  response  team,  management,  other  internal 

Vulnerabilities  Exploited 

sequence  of  exploit,  description,  vulnerability  grouping 

Technical  Methods 

technical  methods  used  to  set  up  and/or  carry  out  the  attack  (e.g.,  hardware 
device,  malicious  code,  modified  logs,  compromised  account,  sabotaged 
backups,  modified  backups) 

Concealment  Methods 

concealment  methods  used  to  hide  technical  and  non-technIcal  methods 
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Appendix  C:  Other  Insider  Threat  Concerns  in  the  Financiai 
Sector 


No  single  pattern  describes  all  malicious  insider  activity.  The  CERT  Insider  Threat  Center’s  anal¬ 
ysis  of  individual  insider  crimes  has  identified  three  distinct  crime  profiles,  based  on  the  motiva¬ 
tions  of  the  insider  and  the  impact  to  the  victim  organization.  This  section  compares  insider 
crimes  in  the  financial  sector  against  our  existing  crime  profiles  and  other  types  of  insider  crimes. 

Insider  IT  Sabotage  in  the  Financial  Services 

Insider  IT  sabotage  is  typically  committed  by  technical  users  with  privileged  access,  such  as 
system  administrators,  database  administrators,  and  programmers.  The  motivation  in  these 
crimes  is  usually  revenge  for  a  negative  workplace  event,  and  the  crimes  are  often  set  up 
while  still  employed,  but  executed  following  termination.  [Cappelli  2012] 

The  crime  of  IT  sabotage  is  typically  motivated  primarily  by  revenge  against  the  victim  organiza¬ 
tion  for  a  perceived  injustice  done  to  the  insider.  Examples  of  perceived  injustices,  pulled  from 
actual  incidents  in  the  CERT  insider  threat  database,  include 

•  being  passed  over  for  a  promotion 

•  losing  control  of  a  critical  system  or  application 

•  failure  to  receive  a  bonus  or  raise 

•  the  hiring  of  a  new  supervisor 

•  demotions 

When  these  insiders  experienced  some  degree  of  unmet  expectations,  they  typically  became  dis¬ 
gruntled.  As  the  disgrantlement  increased,  they  began  to  demonstrate  non-technical  observables  in 
the  workplace,  such  as  conflicts  with  co-workers  or  supervisors,  performance  problems,  and  time 
and  attendance  problems.  As  victim  organizations  observed  this  behavior,  they  reprimanded  the 
insiders,  which,  in  many  of  the  incidents,  contributed  to  the  escalation  of  the  insider’s  disgruntle- 
ment  and  his  or  her  decision  to  seek  revenge  against  the  victim  organization  by  sabotaging  a  criti¬ 
cal  system,  service,  or  data. 

Disgrantlement  is  frequently  exhibited  in  non-technical  ways  prior  to  the  insider  using  technology 
to  set  up  or  carry  out  their  attack.  Once  an  insider  decides  to  disrupt  data  or  a  critical  system  or 
service,  he  or  she  typically  uses  a  privileged  account  to  create  an  unknown  access  path  into  the 
victim  organization’s  network.  The  unknown  access  paths  can  take  the  form  of  an  unauthorized 
account,  malicious  code,  or  some  other  method  of  inflicting  harm  without  detection.  In  most  in¬ 
stances,  insiders  set  up  their  attack  prior  to  leaving  the  victim  organization,  often  via  remote  ac¬ 
cess  after  normal  working  hours,  and  the  impact  to  the  victim  organization  is  realized  after  volun¬ 
tary  or  involuntary  termination. 

In  our  larger  database  of  over  700  cases,  there  are  145  cases  of  IT  sabotage  and  15  of  those  were 
in  the  financial  sector.  Of  the  80  incidents  included  in  this  study,  2  are  categorized  as  IT  sabotage. 
In  both  incidents,  the  insiders  had  been  reprimanded  for  poor  performance,  the  victim  organiza- 
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tions  attempted  to  implement  sanctions  to  correct  the  behavior,  the  sanctions  resulted  in  termina¬ 
tion,  and,  prior  to  leaving  the  victim  organization,  the  insiders  set  up  their  attack,  which  eventual¬ 
ly  disrupted  a  critical  system  or  service.  These  two  incidents  are  consistent  with  the  MERIT  mod¬ 
el’s  description  of  IT  sabotage  [Moore  2008]. 

Insider  Theft  of  IP  in  the  Financial  Services 

Insider  theft  of  intellectual  property  (IP)  is  usually  committed  by  scientists,  engineers, 
programmers,  and  salespeople.  These  insiders  usually  steal  the  information  they  worked  on, 
and  take  it  with  them  as  they  leave  the  victim  organization  to  start  their  own  business,  take 
with  them  to  a  new  job,  or  give  to  a  foreign  government  or  organization.  [Cappelli  2012] 

The  crime  of  IP  theft  is  motivated  primarily  by  the  insider’s  desire  to  obtain  or  retain  a  competi¬ 
tive  advantage  as  he  or  she  leaves  a  victim  organization  to  work  for  a  competing  organization,  to 
start  a  competing  organization,  or  to  provide  information  to  a  foreign  government  or  organization. 
While  it  could  be  argued  that  theft  of  IP  benefits  the  insider  financially,  the  insiders  who  take  IP 
tend  to  have  longer  term  aspirations  than  immediate  financial  gain.  The  crime  allows  the  insider 
to  advance  his  or  her  career. 

The  relevant  cases  in  the  CERT  insider  threat  database  indicate  the  following  types  of  stolen  IP 
[Cappelli  2012]: 

•  proprietary  software  and  source  code 

•  business  plans,  proposals,  and  strategic  plans 

•  customer  information 

•  product  information  (e.g.,  designs,  formulas,  schematics) 

The  insiders  typically  stole  information  to  which  they  had  regular,  authorized  access  as  part  of 
their  job  responsibilities.  Many  of  the  insiders  stole  the  information  while  at  work  and  during 
normal  working  hours.  These  patterns  make  it  very  difficult  for  an  organization  to  distinguish 
normal  behavior  from  abnormal  or  illicit  behavior. 

Previous  CERT  research  has  identified  two  prominent  types  of  IP  thieves  [Moore  2009]: 

•  entitled  independent — ^An  insider  acting  primarily  alone  to  steal  information  to  take  to  a  new 
job  or  to  his  or  her  own  side  business.  The  entitled  independent  tends  to  believe  that  he  or  she 
owns  the  IP.  This  sense  of  ownership  increases  with  the  amount  of  time  and  effort  the  indi¬ 
vidual  spends  developing  the  IP.  The  insider  usually  has  authorized  access  to  the  entire  prod¬ 
uct  suite  or  information.  An  event  or  condition  in  the  workplace  usually  creates  dissatisfaction 
on  the  part  of  the  individual  and  increases  his  or  her  desire  to  leave  and  take  information  prior 
to  departure. 

•  ambitious  leader — A  leader  of  an  insider  crime  who  recruits  insiders  to  steal  information  for 
some  larger  purpose.  Ambitious  leaders  are  different  from  entitled  independents  in  that  they 
tend  to  not  have  authorized  access  to  all  the  information  they  need,  which  is  why  they  involve 
others  in  the  scheme.  A  second  difference  is  that  ambitious  leaders  tend  not  to  be  dissatisfied 
with  the  victim  organization.  Instead  they  tend  to  steal  the  information  primarily  to  benefit 
personally  in  a  future  business  opportunity. 
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The  majority  of  insiders  who  steal  IP  do  so  relatively  close  to  announcing  their  resignation.  This 
provides  a  window  of  opportunity  for  the  victim  organization  to  detect  the  unauthorized  access  or 
exfiltration  of  information. 

In  our  database  of  over  700  cases,  there  are  98  cases  of  theft  of  IP  and  1 1  of  those  were  in  the  fi¬ 
nancial  sector.  Of  the  80  incidents  included  in  this  study,  only  1  is  categorized  as  theft  of  IP.  This 
incident  involved  two  insiders,  both  of  whom  were  dissatisfied  with  their  jobs;  one  was  unhappy 
with  his  compensation  and  the  other  no  longer  considered  his  job  challenging.  Both  individuals 
resigned  and  went  to  work  for  a  competitor,  which  the  victim  organization  discovered  only  after 
their  resignation.  The  victim  organization  became  suspicious  and  conducted  forensic  examina¬ 
tions  of  the  insiders’  computers.  They  found  that  both  individuals  had  downloaded  all  of  the  soft¬ 
ware  modules  for  the  victim  organization’s  critical  application.  Both  insiders  fit  the  profile  of  an 
entitled  independent. 

Comparing  Insider  Fraud  in  the  Financial  Services  to  Other  Insider  Crimes 

The  CERT  Insider  Threat  Center  defines  insider  fraud  as  an  insider’s  use  of  IT  for  the  unauthor¬ 
ized  modification,  addition,  or  deletion  of  an  organization’s  data  (not  programs  or  systems)  for 
personal  gain,  or  the  theft  of  information  that  leads  to  an  identity  crime  (e.g.,  identity  theft,  credit 
card  fraud).  The  insider’s  potential  for  financial  gain  motivates  these  crimes.  All  incidents  of  in¬ 
sider  fraud  in  the  CERT  insider  threat  database,  across  all  sectors,  and  therefore  including  inci¬ 
dents  not  examined  in  this  study,  suggest  the  following  pattern  of  behavior  for  this  crime: 

Insider  fraud  is  usually  committed  by  non-managers  such  as  help  desk,  customer  service, 
and  data  entry  clerks.  The  crimes  are  motivated  by  financial  need  or  greed,  and  they 
typically  continue  for  a  long  period  of  time.  Many  of  these  insiders  are  recruited  by  outsiders 
to  steal  information.  Collusion  with  other  insiders  is  very  common  in  crimes  involving 
modification  of  information  for  payment  from  the  outside  [Cappelli  2012]. 

Insider  fraud  and  insider  theft  of  IP  share  many  characteristics.  Perpetrators  of  both  types  of  fraud 
usually 

•  are  current  employees  of  the  victim  organization  with  authorized  access  at  the  time  of  the 
crime 

•  target  PII  or  customer  information 

•  tend  to  commit  their  crimes  while  at  work  and  during  normal  working  hours 

•  are  assisted  by  outsiders  a  minority  of  the  time.  In  about  one-third  of  fraud  cases  and  44  per¬ 
cent  in  the  theft  of  IP  cases,  outsiders  had  recruited  the  insider  to  commit  the  crime  [Cappelli 
2012]. 

•  colluded  with  one  or  more  individuals  in  the  victim  organization  in  nearly  half  the  fraud  and 
IP  theft  incidents  in  the  database.  We  speculate  that  insider  crimes  often  require  collusion  to 


This  pattern  differs  from  insiders  who  commit  IT  sabotage,  who  are  typically  former  employees  without  author¬ 
ized  access. 
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overcome  the  separation  of  duties  that  organizations  enforce  in  attempts  to  prevent  insider 
crime. 

The  incidents  of  insider  fraud  examined  in  this  study  differed  starkly  from  the  overall  behavioral 
pattern  of  insider  fraud  in  one  respect.  Whereas  insider  fraudsters  are  typically  non-managers, 
approximately  half  of  the  cases  examined  in  this  study  involved  insiders  in  a  managerial  position, 
including  account  manager,  customer  service  manager,  branch  manager,  operations  manager,  as¬ 
sistant  manager,  vice  president,  senior  vice  president,  and  president. 
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